Publishing a certificate revocation list (CRL) fails with error message "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".

Assume the following scenario:

• A new revocation list is created on the certification authority.
• The certification authority is configured to publish revocation lists to a network path.
• Publishing fails with the following error message:

Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

The certification authority will, depending on the revocation list type, the events 65, 66, 74 or 75 log.

Cause

This error indicates that the certification authority does not have write permission on the network path. The certification authority service runs in the NT AUTHORITY\SYSTEM context, which is represented at the network level by the certification authority server computer object. This requires write access to the network share and to the underlying file system.

The "Cert Publishers" group is suitable, since certification authorities automatically become members of this security group during role installation.

Also occurs when the revocation list share is on the same server as the certificate authority and a network path has been configured for publishing.

Related links:

• Publish a Certificate Revocation List to an Active Directory Revocation List Distribution Point
• Create and publish a certificate revocation list