Certificate Authority Publishing CDP

AGenMIS
AGenMIS used Ask the Experts™
on
I have one offline root CA and one issuing CA. Every 26 weeks I have to republish the CDP locations. I was able to republish the CDP LDAP for another 26 weeks which is CDP #1 but how do I republish CDP #2 which is http?

If I go to pkiview.msc on the issuing CA, it says my CDP #1 has updated to another 26 weeks but my CDP #2 is still set to expire in 2 weeks.

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
I copied the new .CRL from my offline root and pasted it in the certdata directory on the issuing CA. When I pasted it, it replaced the old CRL. I went into the pkiview and it now says CDP #2 has updated for another 26 weeks.

Is copying and pasting the .CRL efficient? Do I have to run any certutil dspublish commands like I did to republish the LDAP CDP?

Thanks
Cryptographic Engineer
Commented:
You might have a script set up to copy *.crl (or *.cr* to include crt files as well) from the sub CA to the CDP locations.  Since the root is offline (for proper extra security), you need to manually copy it over to the online subordinate CA.  This is semi-common for an ease of administration thing to do, one that I (and I'm sure other PKI experts) recommend fairly often to people.

Check your scheduled tasks to see it there might be something that maps a drive and copies the CRL files over.  rarely someone might have even converted it to a service that might poll the certenroll directory for a new file or just a simple copy script that just runs as a service instead of scheduled task.

Copying it all you need to do for non-LDAP locations.  You just need to know which server(s) actually host that URL and copy it to the directory for that site on the web server.

Author

Commented:
I built the server at the beginning of the year so I can tell you that there are no scripts or tasks that pull the CRL's. Copying it seemed to work. I just wasn't sure if there was another step after copying. Our offline root CA is always powered off. The only time it is powered on is when we have to republish the CDP locations. If copying is all that I have to do then thank you for your help. I'll wait for a reply before I close this case.

Thanks
ParanormasticCryptographic Engineer

Commented:
The CDP might just be on the CA's web server maybe then?  Not really what I would advise, but if it is internal only and not a publicly accessible site then it should be okay.

Can check IIS vs. the URL in one of the issued certs for the CRL Distribution Points to see if they match up.

If that's the case, yes, that's fine to just copy it over.

Author

Commented:
The CA's web server which is also our Issuing CA is internal. Thanks for your help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial