Always Upgrading Blog

A blog (mostly) about Enterprise IT upgrades.

Publish New CRL From an Offline Root CA

If you’ve been following best practices, you likely have a multi-tiered Microsoft PKI with an offline root CA. In this case you’ll have to publish a new Certificate Revocation List using your offline CA server and install this on your online CA server. The following article outlines the steps involved in completing this process.

Generating the new CRL Using the Offline CA

First, you’ll need to power up your offline CA. Once it’s finished booting, navigate to C:\windows\system32\certsrv\certenroll and rename your current CRL (filename may vary, but should be the only file in this folder with a *.crl extension) to *.crl.old.

Publish CRL

Now under Administrative Tools open the Certificate Authority management console. Once this has loaded, right-click on the Revoked Certificates folder and choose All Tasks > Publish. Select New CRL from the next prompt that appears.


This will generate a new CRL file in the same location as the one we just renamed (C:\windows\system32\certsrv\certenroll\yourfilename.crl), we need to copy this somewhere that will be accessible from the online CA server.

Once you’ve copied the CRL file somewhere accessible, you can shut down the offline CA server again.

Publishing the new CRL in Active Directory

We now need to log onto our online CA server and copy the new CRL file to C:\windows\system32\certsrv\certenroll. Once you’ve copied the file here we need to open command prompt as an administrator and run the following command: Certutil -v -f -dsPublish "c:\windows\system32\certsrv\certenroll\yourfilename.crl"

Install CRL to AD

We should see a message as above stating that the dsPublish command completed successfully. We can verify this by opening MMC on the online CA, loading the Enterprise PKI snap-in and selecting our Root CA name (offline root).

Verify that CDP locations 1 and 2 are showing with a status of OK and that the expiration date is X weeks ahead of the current date (this date will depend on the periods you configured when installing your PKI servers).

Verify CDP Locations