Certificate Authority - Remove Orphaned CDP post CA Migration

Posted on 2011-05-11
Last Modified: 2013-12-04
Hey everyone,


History - I recently moved my Enterprise Root Single Node CA to another, new server to upgrade it to 2008 R2.  
This went well, except OCS and Exchange 2010 weren't that happy about it.  They show that the certificates are troubled and Exchange posts my now favorite thing in the world:
 "The certificate status could not be detemined because the revocation check failed."
So on the Exchange Server, I open CertMGR.msc and export the troubled certificate to the desktop.  Then I run:
 certutil -verify -urlfetch ExchSVRCert.cer > Verify.txt
That pipes out to my txt file so I can search, and sure enough, at the bottom of the output, I have the old CA still listed as a CDP.  The new CDP is also listed in this output.
----------------  Certificate CDP  ----------------
Verified "Base CRL (08a6)" Time: 0
[0.0] ldap:///CN= MyCompanyName,CN=Old_CA_ServerName,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=MyDomain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Expired "Delta CRL (08a6)" Time: 0
 [0.0.0] ldap:///CN=MyCompanyName,CN=Old_CA_Servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=MyDomain,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint
Failed "CDP" Time: 0
 Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)[0.1.0] http://Old_CA_ServerName.MyDomain.local/CertEnroll/MyDomain.crl
Failed "CDP" Time: 0
 Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)    http://Old_CA_Servername.MyDomain.local /CertEnroll/MyDomain.crl

Question:  I know I'm to open the CA Manager has access to the Extensions tab to configure these items...but how do I remove the old CDP and is this what's causing the revocation to fail on the OCS and Exchange certs?

Thanks a lot!!!
Question by:inverted_2000
    LVL 11

    Expert Comment

    Once a certificate is issued, you cannot change any property.
    So, either you change your new server name to be the same than the old one, either you issue new certificates to all computers who need CDP to be updated.
    But I'm not really sure if you can rename a CA server.
    And it's not really clear how you transfered your CA to the new one. It was a migration, or did you create a new one?
    LVL 2

    Accepted Solution


    It is supported to move from a CA to another server with a different name.
    This had to be done because my old server was a domain controller and when moving a CA you have to take the old one compeltely offline...and sense my old CA was also a DC, it had double the reason to go offline.

    During the migration, the database from the old is moved as well as the registry key with the configuration settings:

    Please view:
    If you have move questions about migrations but there it states:
    "You can migrate CA to another server with different name than previous server. Understand, You can have any name of the member server considering you don't change the CA certificate name."
    This turned out to be true.

    Now that it's moved to the new node...I can issue new certificates, for example, AUTO ENROLL for my user account to my own PC with a built in template.
    The CA sees the request and issues the certificate and everything is cool...until I verify the certificate with:

    certutil -verify -urlfetch ExchSVRCert.cer > Verify.txt

    and I see the old CA Server name as a CDP at the bottom of the output.

    How do I get that out of there :o)

    LVL 2

    Author Closing Comment

    It was correct all along.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Scale it in WD Gold

    With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

    Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
    Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
    This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
    This tutorial will walk an individual through the process of upgrading their existing Backup Exec 2012 to 2014. Either install the CD\DVD into the drive and let it auto-start, or browse to the drive and double-click the Browser file: Select the ap…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now