Event ID 67 — AD CS Certificate Revocation List (CRL) Publishing

  • Article

Applies To: Windows Server 2008

Providing clients with the information that they need to determine whether to trust a certificate is one of the most important security functions of a certification authority (CA) and public key infrastructure (PKI). For the administrator, this means promptly revoking untrusted certificates that have not reached their scheduled expiration dates and publishing this information in certificate revocation lists (CRLs). Monitoring and addressing problems with CRL publication and availability is a critical aspect of PKI security.

Event Details

Product: Windows Operating System
ID: 67
Source: Microsoft-Windows-CertificationAuthority
Version: 6.0
Symbolic Name: MSG_E_CRL_PUBLICATION_TOO_MANY_RETRIES
Message: Active Directory Certificate Services made %1 attempts to publish a certificate revocation list (CRL) and will not attempt to publish a CRL until the next CRL is generated.

Resolve

Enable CRL publication before the next CRL is generated

To correct this problem:

  • Follow the procedure in the "Correct CRL distribution point problems" section to correct any problems with your certificate revocation list (CRL) distribution point information, including permissions problems.
  • Follow the procedure in the "Confirm network connectivity" section to confirm that you have network connectivity to Active Directory Domain Services (AD DS) and computers hosting CRL distribution points.

To perform the following procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Correct CRL distribution point problems

To review and correct problems with CRL distribution point address information:

  1. On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
  2. Right-click the name of the certification authority (CA), and click Properties.
  3. Click the Extensions tab. Note the CRL distribution points for which the Publish CRLs to this location check box is selected.
  4. If a CRL publication location is not valid, replace it with a valid path.
  5. If the event log message specifies an Active Directory location that has been formatted as a Lightweight Directory Access Protocol (LDAP) address, use the procedure "Confirm Active Directory CRL distribution point permissions" to check that the CA has Write permissions to this location.
  6. If you are using custom network locations as CRL distribution points, confirm that the computer hosting the CA has Write access to the drive that contains the operating system on the other computer.

To determine the configured CRL distribution points from the command line:

  1. Open a command prompt window on the CA.
  2. Type certutil -getreg ca\crlpublicationurls and press ENTER.** **

Confirm Active Directory CRL distribution point permissions

To confirm Active Directory CRL distribution point permissions:

  1. On a compuater that has Active Directory management tools installed, click Start, point to Administrative Tools, and click Active Directory Sites and Services.
  2. On the View menu, click Show Services Node.
  3. Double-click Services, and double-click Public Key Services.
  4. Right-click AIA, and click Properties.
  5. Click the Security tab, and confirm that the CA has Write permission to this location.

Confirm network connectivity

To determine if there is a network connectivity problem between the CA and a domain controller:

  1. On the CA, click Start, type cmd and press ENTER.

  2. Type ping <server_FQDN>, where <server_FQDN> is the fully qualified domain name (FQDN) of the domain controller (for example, server1.contoso.com), and then press ENTER.

  3. If you can connect to the domain controller, you will receive a reply similar to the following:

    Reply from IP_address: bytes=32 time=3ms TTL=59

    Reply from IP_address: bytes=32 time=20ms TTL=59

    Reply from IP_address: bytes=32 time=3ms TTL=59

    Reply from IP_address: bytes=32 time=6ms TTL=59 

  4. At the command prompt, type ping <IP_address>, where <IP_address> is the IP address of the domain controller, and then press ENTER.

  5. If you can connect to the domain controller by IP address but not by FQDN, this indicates a possible issue with Domain Name System (DNS) host name resolution.

  6. If you cannot successfully connect to the domain controller by IP address, this indicates a possible issue with network connectivity.

  7. Check for and resolve any hardware problems, such as a malfunctioning network card or disconnected network cable, as well as any event log errors relating to firewall configuration Internet Protocol security (IPsec) configuration.

  8. Repeat this procedure for any CRL distribution points that are not domain controllers. 

Verify

To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.

To confirm that certificate revocation list (CRL) publishing is working properly, perform the following procedure on a recently issued end-entity (user or computer) certificate:

  1. Open a command prompt window on a computer that is connected to the network.

  2. Type certutil -url <cert.cer> and press ENTER.

    Replace <cert.cer> with the name of a certificate file that you created by exporting a certificate using the Certificate Export Wizard.

  3. In the dialog box that appears, under Retrieve, click CRLs (from CDP), and click Retrieve.

  4. Confirm that the status of all retrieved CRL distribution points is listed as Verified.

AD CS Certificate Revocation List (CRL) Publishing

Active Directory Certificate Services