LDAP CDP Download

The short sweet answer is to just use good old certutil.

Certutil -f -urlcache ldap://your-cdp-from-a-cert...?objectClass=cRLDistributionPoint outputFile.crl

You can use certutil -dump outputFile.crl and parse that with piping to findstr if you want to check the expiry date or whatever.

Here's what different AI gave me,  but then also said that you can't download the CRLs from ldap, only http (you can query ldap to get the uri if you want,  but not download it) in another explanation. Wonderful. 

To download a list of CRL files from an LDAP server using PowerShell, you can modify the script to loop through multiple entries that match the search filter and save each CRL to a separate file. Here's the updated PowerShell script:

```powershell

# Define LDAP server and search parameters

$ldapServer = "ldap://your-ldap-server.com"  # Replace with your LDAP server URL

$searchBase = "CN=Certification Authority,CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=com"  # Replace with your search base DN

$filter = "(objectClass=cRLDistributionPoint)"  # Filter to find the CRLs

# Create a directory context and LDAP connection

$ldapConnection = New-Object System.DirectoryServices.Protocols.LdapConnection($ldapServer)

$ldapConnection.SessionOptions.SecureSocketLayer = $false

$ldapConnection.AuthType = [System.DirectoryServices.Protocols.AuthType]::Negotiate

# Search for the CRLs

$searchRequest = New-Object System.DirectoryServices.Protocols.SearchRequest(

    $searchBase,

    $filter,

    [System.DirectoryServices.Protocols.SearchScope]::Subtree,

    @("certificateRevocationList")

)

try {

    $searchResponse = $ldapConnection.SendRequest($searchRequest)

    $counter = 1  # Counter for naming CRL files

    foreach ($entry in $searchResponse.Entries) {

        $crlData = $entry.Attributes["certificateRevocationList"][0]

        if ($crlData) {

            # Decode and write each CRL to a separate file

            $outputFile = "crl_file_$counter.crl"

            [IO.File]::WriteAllBytes($outputFile, [Convert]::FromBase64String([Text.Encoding]::UTF8.GetString($crlData)))

            Write-Host "CRL downloaded and saved to $outputFile"

            $counter++

        } else {

            Write-Host "No CRL data found in the entry."

        }

    }

    if ($counter -eq 1) {

        Write-Host "No CRL entries found."

    }

} catch {

    Write-Host "An error occurred: $_"

} finally {

    $ldapConnection.Dispose()

}

```

### Explanation:

- **Loop Through Entries**: The `foreach` loop iterates over all entries found by the LDAP search.

- **File Naming**: Each CRL is saved to a separate file with a unique name (e.g., `crl_file_1.crl`, `crl_file_2.crl`).

- **Counter**: A counter variable is used to keep track of the number of CRL files.

### Steps to Run:

1. Save this script as `download_crls.ps1`.

2. Open PowerShell as an Administrator.

3. Run the script:

   ```powershell

   .\download_crls.ps1

   ```

### Considerations:

- Ensure you have the appropriate permissions and network access to connect to and read from the LDAP server.

- The script saves each CRL to the current working directory. You can modify the `outputFile` variable's path if needed to save to a different directory.

‐--------------

Method 2

# Replace with your LDAP URL and CRL DN paths

$ldapUrl = "ldap://your_ldap_server:389"

$crlDns = @(

    "CN=CRL1,CN=Public Key Certificates,CN=Microsoft Certification Authority,CN=Your Organization,DC=yourdomain,DC=com",

    "CN=CRL2,CN=Public Key Certificates,CN=Microsoft Certification Authority,CN=Your Organization,DC=yourdomain,DC=com"

)

# Function to download a CRL and save it to a file

function Download-CRL {

    param(

        [string]$ldapUrl,

        [string]$crlDn,

        [string]$outputFile

    )

    try {

        # Create an LDAP connection

        $ldapConnection = New-Object System.DirectoryServices.DirectoryEntry $ldapUrl

        # Search for the CRL

        $searcher = New-Object System.DirectoryServices.DirectorySearcher $ldapConnection

        $searcher.Filter = "(objectClass=cRLDistributionPoint)"

        $searcher.SearchScope = "Subtree"

        $searcher.PropertiesToLoad.Add("cRL")

        $searchResult = $searcher.FindOne()

        if ($searchResult) {

            # Extract the CRL data

            $crlData = $searchResult.Properties["cRL"].Value

            # Write the CRL data to a file

            [System.IO.File]::WriteAllBytes($outputFile, $crlData)

            Write-Host "CRL downloaded and saved to $outputFile"

        } else {

            Write-Warning "CRL not found for $crlDn"

        }

    } catch {

        Write-Error "Error downloading CRL: $($_.Exception.Message)"

    } finally {

        if ($ldapConnection) {

            $ldapConnection.Dispose()

        }

    }

}

# Loop through the CRL DNs and download each CRL

foreach ($crlDn in $crlDns) {

    $outputFile = "$crlDn.crl"

    Download-CRL -ldapUrl $ldapUrl -crlDn $crlDn -outputFile $outputFile

}

------

Method 3

# Replace 'http://your-ca-server/crl' with the actual CDP URL
$crlUrl = "http://your-ca-server/crl"
$crlFilePath = "C:\path\to\save\crl.crl"

try {
   Invoke-WebRequest -Uri $crlUrl -OutFile $crlFilePath
   Write-Host "CRL downloaded successfully to $crlFilePath"
} catch {
   Write-Warning "Error downloading CRL: $($_.Exception.Message)"
}