Collection Rule for event with source CertificationAuthority and ID 62

Summary

Providing clients with the information that they need to determine whether to trust a certificate is one of the most important security functions of a certification authority (CA) and public key infrastructure (PKI). For the administrator, this means promptly revoking untrusted certificates that have not reached their scheduled expiration dates and publishing this information in certificate revocation lists (CRLs). Monitoring and addressing problems with CRL publication and availability is a critical aspect of PKI security.

Resolutions

Configure AD CS to use user-specified CRL publication values

Active Directory Certificate Services (AD CS) is running but is using default certificate revocation list (CRL) publication period settings instead of the user-specified values. To fix this error:

• Check and, if necessary, correct CRL publication settings.

• If necessary, modify CRL registry keys.

Check and correct CRL publication settings

To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.

To check and fix correct publication settings:

• On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.

• Right-click Revoked Certificates, and click Properties.

• Note the listed CRL and delta CRL publication intervals.

• If one of the settings is not valid, use the procedure "Modify CRL registry settings" to configure a valid setting.

To use the Certutil command-line tool to determine the configured CRL publication settings:

• On the computer hosting the CA, click Start, type cmd and press ENTER.

• Type certutil -getreg ca\crlperiod* and press ENTER, and then type certutil -getreg ca\crldeltaperiod* and press ENTER.

• If one of these settings is not valid, use the following procedure to configure a valid setting.

Modify CRL registry keys

To perform this procedure, you must have membership in local Administrators, or you must have been delegated the appropriate authority.

To set valid registry keys:

Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

• On the computer hosting the CA, click Start, type regedit, and then press ENTER.

• Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\ Configuration\CA name.

• Enter valid registry values for CRLPeriod and CRLDeltaPeriod. Valid values are Years, Months, Weeks, Days, or Hours.

• Enter valid registry values for CRLPeriodUnits and CRLDeltaPeriodUnits. Valid values are integers (1, 15, or 31, for example).

Note: The text CA name in the actual registry key will be replaced by the name of your CA.

Additional

To confirm that certificate revocation list (CRL) publishing is working properly, perform the following procedure on a recently issued end-entity (user or computer) certificate:

• Open a command prompt window on a computer that is connected to the network.

• Type certutil -url <cert.cer> and press ENTER.

Replace <cert.cer> with the name of a certificate file that you created by exporting a certificate using the Certificate Export Wizard.

• In the dialog box that appears, under Retrieve, click CRLs (from CDP), and click Retrieve.

• Confirm that the status of all retrieved CRL distribution points is listed as Verified.