Microsoft PKI - Incorrect CDP's

Posted on 2009-04-14
Last Modified: 2013-12-04
Hello experts,
one little question.
I've a  offline root ca and an sub issuing CA.
I now saw, that the URL's to the revocation list in the certificate of the issuning CA points to an incorrect location.

Means: The locations for the .crl and .crt files to validate the certificates against revocation are configured incorrect in the offline root ca.
If i issue an certificate from the issung ca for any computer, the correct paths are included, cause i've changed them.

I've now also changed the paths on the offline root ca, but my issung ca does not recognice these changes made on the root ca.
How can i force this "replication"?

If i i open pkiview.msc on the issung ca, the offline root ca is shown as offline...but with ping on it's ip address it's reachable.

thanks in advance
Question by:merowinger
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 31

Expert Comment

ID: 24140960
You need to renew the sub CA's certificate for the new CDP from the root to propagate.  This is not a dynamic process.  You will also note that any of the certs issued from the sub CA to users/devices before updating that will have the same issue.

You can make things a little easier on yourself by reusing the same keyset since I'm assuming this is a pretty new CA installation if you have this kind of issue.

Here's the general instructions - since your root is offline you will need to just go about that the same way you did when you set up the sub CA in the first place (copy the csr file to the root).
LVL 31

Author Comment

ID: 24142441
Yeah it's a 3 weeks old installation.
No certificates for clients or users have this issue, as this certificates were issued from the sub ca with the correct crl and crt locations.
Is there any i've to do with existing certificates for clients and users when using the "reuse key option"?

What i not understand is when i now execute this steps on the sub ca (renew certificate with reuse key option) how does the sub ca recognize the new crl paths which i've configured on the offline root ca ... as there seems to be no connection?!?

Could you please explain step by step what do execute were? Thanks a lot guy!!!!!

LVL 31

Accepted Solution

Paranormastic earned 500 total points
ID: 24142644
When you reuse the keys, the signature stays the same, just the certificate is updated.  No affect to the users for that.

I mentioned the user certs before due to it sounded like the sub CA may have had the same problem?  The end user certs would need to be reissued to get teh correct CDP from the sub CA, just like the sub CA needs to be reissued from the root CA.  However, it only affects that tier as long as the keys are the same - renewing the sub CA will not affect the user certs issued after the sub CA CDP was fixed (if I'm reading you message right).

I need to get going for the night so will keep this a little short.  You create a CSR on the sub CA, sneakernet it via floppy/flashdrive to the offline and process it there, then sneakernet the signed cert back to the sub CA.

Always best to use CA MMC - right click CAName - All Tasks - Backup CA and backup the cert database and private key before doing any of this.  A full backup including system state is nice too.  This is a pretty safe process, but just adding this in for reminder of good practice.

Here's a better link for the renewal process, this time referencing an offline root:
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

LVL 31

Author Comment

ID: 24145430
Ok i've now renewed the certificate with the same key, saved the request to a file.
Imported the request on the offline root ca -> Approved it -> Exported it -> And imported it on the sub ca with the menu option install certificate.
Now in pkiview there are listed the new paths for the crl and aia points of the offline root ca.
One final question: Should the revocation list and the crt list of the offline root ca also be published on the same path as those lists are published from the sub ca? Or shouldn't those list be public?
LVL 31

Author Comment

ID: 24145445
eeehm now i have two certificates listed
<sub ca name>.(1).crt
<sub ca name>.(1).crt
LVL 31

Author Comment

ID: 24145455
clicked too fast :)

there are two certificates listed now in the certenroll folder of the sub ca and in the settings of the sub ca
<sub ca name>.crt
<sub ca name>(1).crt

Is ihis correct? Shell i delete some of them?
LVL 31

Expert Comment

ID: 24147470
It is normal to have the (1) after the new one.  The old one is technically still valid (so you don't need to rush to renew the old ones) but the new one will be used for new cert requests.  Keep them both.

It is common for all CA CDP and AIA locations to share a common path, although technically not required.  As long as the trusting party (end user) can reach the CDP and AIA for both that is what matters.  If you use them for external use (e.g. home users, business partners) then there should be a public link in addition to an internal link.
LVL 31

Author Comment

ID: 24147764
thank you very much!!!! =)

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In-place Upgrading Dirsync to Azure AD Connect
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question