Publishing a certificate revocation list (CRL) fails with error message "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".

Author Uwe GradeneggerPosted on Categories TroubleshootingTags ,

Assume the following scenario:

  • A new revocation list is created on the certification authority.
  • The certification authority is configured to publish revocation lists to a network path.
  • Publishing fails with the following error message:
Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

The certification authority will, depending on the revocation list type, the events 65, 66, 74 or 75 log.

Cause

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

This error indicates that the certification authority does not have write permission on the network path. The certification authority service runs in the NT AUTHORITY\SYSTEM context, which is represented at the network level by the certification authority server computer object. This requires write access to the network share and to the underlying file system.

The "Cert Publishers" group is suitable, since certification authorities automatically become members of this security group during role installation.

Also occurs when the revocation list share is on the same server as the certificate authority and a network path has been configured for publishing.

Related links:

One thought on “Die Veröffentlichung einer Zertifikatsperrliste (CRL) schlägt fehl mit Fehlermeldung „Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)“”

  1. Pingback: Performing a functional test for a Certification Authority - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish