Certificate Authority - Remove Orphaned CDP post CA Migration

Posted on 2011-05-11
Medium Priority
Last Modified: 2013-12-04
Hey everyone,


History - I recently moved my Enterprise Root Single Node CA to another, new server to upgrade it to 2008 R2.  
This went well, except OCS and Exchange 2010 weren't that happy about it.  They show that the certificates are troubled and Exchange posts my now favorite thing in the world:
 "The certificate status could not be detemined because the revocation check failed."
So on the Exchange Server, I open CertMGR.msc and export the troubled certificate to the desktop.  Then I run:
 certutil -verify -urlfetch ExchSVRCert.cer > Verify.txt
That pipes out to my txt file so I can search, and sure enough, at the bottom of the output, I have the old CA still listed as a CDP.  The new CDP is also listed in this output.
----------------  Certificate CDP  ----------------
Verified "Base CRL (08a6)" Time: 0
[0.0] ldap:///CN= MyCompanyName,CN=Old_CA_ServerName,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=MyDomain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Expired "Delta CRL (08a6)" Time: 0
 [0.0.0] ldap:///CN=MyCompanyName,CN=Old_CA_Servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=MyDomain,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint
Failed "CDP" Time: 0
 Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)[0.1.0] http://Old_CA_ServerName.MyDomain.local/CertEnroll/MyDomain.crl
Failed "CDP" Time: 0
 Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)    http://Old_CA_Servername.MyDomain.local /CertEnroll/MyDomain.crl

Question:  I know I'm to open the CA Manager has access to the Extensions tab to configure these items...but how do I remove the old CDP and is this what's causing the revocation to fail on the OCS and Exchange certs?

Thanks a lot!!!
Question by:inverted_2000
  • 2
LVL 11

Expert Comment

ID: 35739460
Once a certificate is issued, you cannot change any property.
So, either you change your new server name to be the same than the old one, either you issue new certificates to all computers who need CDP to be updated.
But I'm not really sure if you can rename a CA server.
And it's not really clear how you transfered your CA to the new one. It was a migration, or did you create a new one?

Accepted Solution

inverted_2000 earned 0 total points
ID: 35739538

It is supported to move from a CA to another server with a different name.
This had to be done because my old server was a domain controller and when moving a CA you have to take the old one compeltely offline...and sense my old CA was also a DC, it had double the reason to go offline.

During the migration, the database from the old is moved as well as the registry key with the configuration settings:

Please view:
If you have move questions about migrations but there it states:
"You can migrate CA to another server with different name than previous server. Understand, You can have any name of the member server considering you don't change the CA certificate name."
This turned out to be true.

Now that it's moved to the new node...I can issue new certificates, for example, AUTO ENROLL for my user account to my own PC with a built in template.
The CA sees the request and issues the certificate and everything is cool...until I verify the certificate with:

certutil -verify -urlfetch ExchSVRCert.cer > Verify.txt

and I see the old CA Server name as a CDP at the bottom of the output.

How do I get that out of there :o)


Author Closing Comment

ID: 35910011
It was correct all along.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question