Providing clients with the information that they need to determine whether to trust a certificate is one of the most important security functions of a certification authority (CA) and public key infrastructure (PKI). For the administrator, this means promptly revoking untrusted certificates that have not reached their scheduled expiration dates and publishing this information in certificate revocation lists (CRLs). Monitoring and addressing problems with CRL publication and availability is a critical aspect of PKI security.
Create a certificate revocation list
Active Directory Certificate Services (AD CS) could not create a certificate revocation list (CRL), which may cause applications that need to check the revocation status of certificates issued by this certification authority (CA) to fail.
The event log message should contain more specific information regarding the CRL creation failure. To correct this error:
Fix any problems listed in the event log message.
Try to create a CRL manually.
To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.
Create a CRL
To manually create a CRL by using the Certification Authority snap-in:
On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
In the console tree, click Revoked Certificates.
On the Action menu, point to All Tasks, and click Publish.
Select New CRL to overwrite the previously published CRL, or select Delta CRL only to publish a current delta CRL.
To manually create a CRL by using the Certutil command-line tool:
On the computer hosting the CA, click Start, type cmd and press ENTER.
Type certutil -CRL and press ENTER.
If attempts to manually create a CRL fail, select the CA name in the the Certification Authority snap-in, and click Restart. Then, attempt to create the CRL again.