Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Microsoft PKI - Incorrect CDP's

Posted on 2009-04-14
Medium Priority
Last Modified: 2013-12-04
Hello experts,
one little question.
I've a  offline root ca and an sub issuing CA.
I now saw, that the URL's to the revocation list in the certificate of the issuning CA points to an incorrect location.

Means: The locations for the .crl and .crt files to validate the certificates against revocation are configured incorrect in the offline root ca.
If i issue an certificate from the issung ca for any computer, the correct paths are included, cause i've changed them.

I've now also changed the paths on the offline root ca, but my issung ca does not recognice these changes made on the root ca.
How can i force this "replication"?

If i i open pkiview.msc on the issung ca, the offline root ca is shown as offline...but with ping on it's ip address it's reachable.

thanks in advance
Question by:merowinger
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 31

Expert Comment

ID: 24140960
You need to renew the sub CA's certificate for the new CDP from the root to propagate.  This is not a dynamic process.  You will also note that any of the certs issued from the sub CA to users/devices before updating that will have the same issue.

You can make things a little easier on yourself by reusing the same keyset since I'm assuming this is a pretty new CA installation if you have this kind of issue.

Here's the general instructions - since your root is offline you will need to just go about that the same way you did when you set up the sub CA in the first place (copy the csr file to the root).
LVL 31

Author Comment

ID: 24142441
Yeah it's a 3 weeks old installation.
No certificates for clients or users have this issue, as this certificates were issued from the sub ca with the correct crl and crt locations.
Is there any i've to do with existing certificates for clients and users when using the "reuse key option"?

What i not understand is when i now execute this steps on the sub ca (renew certificate with reuse key option) how does the sub ca recognize the new crl paths which i've configured on the offline root ca ... as there seems to be no connection?!?

Could you please explain step by step what do execute were? Thanks a lot guy!!!!!

LVL 31

Accepted Solution

Paranormastic earned 2000 total points
ID: 24142644
When you reuse the keys, the signature stays the same, just the certificate is updated.  No affect to the users for that.

I mentioned the user certs before due to it sounded like the sub CA may have had the same problem?  The end user certs would need to be reissued to get teh correct CDP from the sub CA, just like the sub CA needs to be reissued from the root CA.  However, it only affects that tier as long as the keys are the same - renewing the sub CA will not affect the user certs issued after the sub CA CDP was fixed (if I'm reading you message right).

I need to get going for the night so will keep this a little short.  You create a CSR on the sub CA, sneakernet it via floppy/flashdrive to the offline and process it there, then sneakernet the signed cert back to the sub CA.

Always best to use CA MMC - right click CAName - All Tasks - Backup CA and backup the cert database and private key before doing any of this.  A full backup including system state is nice too.  This is a pretty safe process, but just adding this in for reminder of good practice.

Here's a better link for the renewal process, this time referencing an offline root:
Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

LVL 31

Author Comment

ID: 24145430
Ok i've now renewed the certificate with the same key, saved the request to a file.
Imported the request on the offline root ca -> Approved it -> Exported it -> And imported it on the sub ca with the menu option install certificate.
Now in pkiview there are listed the new paths for the crl and aia points of the offline root ca.
One final question: Should the revocation list and the crt list of the offline root ca also be published on the same path as those lists are published from the sub ca? Or shouldn't those list be public?
LVL 31

Author Comment

ID: 24145445
eeehm now i have two certificates listed
<sub ca name>.(1).crt
<sub ca name>.(1).crt
LVL 31

Author Comment

ID: 24145455
clicked too fast :)

there are two certificates listed now in the certenroll folder of the sub ca and in the settings of the sub ca
<sub ca name>.crt
<sub ca name>(1).crt

Is ihis correct? Shell i delete some of them?
LVL 31

Expert Comment

ID: 24147470
It is normal to have the (1) after the new one.  The old one is technically still valid (so you don't need to rush to renew the old ones) but the new one will be used for new cert requests.  Keep them both.

It is common for all CA CDP and AIA locations to share a common path, although technically not required.  As long as the trusting party (end user) can reach the CDP and AIA for both that is what matters.  If you use them for external use (e.g. home users, business partners) then there should be a public link in addition to an internal link.
LVL 31

Author Comment

ID: 24147764
thank you very much!!!! =)

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question