Revocation check fails for certificate with LDAP URL in Acrobat or Acrobat Reader

Problem details

The CRL Distribution Point (CDP) format for certificates issued by Enterprise Certification Authorities (CAs) employs an Active Directory path. The format of the CDP URL appears as ldap:///CN=MyCA,OU=...DC=example,DC=com?certificateRevocationList.

This default format, however, lacks the hostname necessary to locate the directory server. The revocation check fails since Acrobat or Acrobat Reader does not know the hostname and fails to get to the correct endpoint for downloading CRLs from CDP.

Workaround

Perform any of the workarounds below.

Workaround 1

Acrobat also supports HTTP-based URLs in AIA, providing an alternative to LDAP-based CDP for OCSP responses.

Workaround 2

Modify the certificate template to iclude the hostname in the CDP.

For example, ldap://ds.example.com:389/dc=example, dc=comwhere ds.example.com is the hostname.

Workaround 3

Publish the CRL to a webserver and use the HTTP URL in the CDP.

Workaround 4

Set the hostname via setting preference registry available in Acrobat or Acrobat Reader.

For details, see: https://www.adobe.com/devnet-docs/acrobatetk/tools/PrefRef/Windows/Security.html#idkeyname_1_23134

Registry preference for setting hostname
Set the hostname via Registry setting

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online