inverted_2000
asked on
Certificate Authority - Remove Orphaned CDP post CA Migration
Hey everyone,
B
History - I recently moved my Enterprise Root Single Node CA to another, new server to upgrade it to 2008 R2.
This went well, except OCS and Exchange 2010 weren't that happy about it. They show that the certificates are troubled and Exchange posts my now favorite thing in the world:
"The certificate status could not be detemined because the revocation check failed."
So on the Exchange Server, I open CertMGR.msc and export the troubled certificate to the desktop. Then I run:
certutil -verify -urlfetch ExchSVRCert.cer > Verify.txt
That pipes out to my txt file so I can search, and sure enough, at the bottom of the output, I have the old CA still listed as a CDP. The new CDP is also listed in this output.
---------------- Certificate CDP ----------------
Verified "Base CRL (08a6)" Time: 0
[0.0] ldap:///CN= MyCompanyName,CN=Old_CA_ServerName,CN=CDP,CN=Public%20Key%20 Services,C N=Services ,CN=Config uration,DC =MyDomain, DC=local?c ertificate Revocation List?base? objectClas s=cRLDistr ibutionPoi nt
Expired "Delta CRL (08a6)" Time: 0
[0.0.0] ldap:///CN=MyCompanyName,C N=Old_CA_Servername,CN=CDP,CN=Public%20Key%20 Services,C N=Services ,CN=Config uration,DC =MyDomain, DC=local?d eltaRevoca tionList?b ase?object Class=cRLD istributio nPoint
Failed "CDP" Time: 0
Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)[0.1.0] http://Old_CA_ServerName.MyDomain.local/CertEnroll /MyDomain. crl
Failed "CDP" Time: 0
Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007) http://Old_CA_Servername.MyDomain.local /CertEnroll/MyDomain.crl
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- --------
Question: I know I'm to open the CA Manager has access to the Extensions tab to configure these items...but how do I remove the old CDP and is this what's causing the revocation to fail on the OCS and Exchange certs?
http://technet.microsoft.com/en-us/library/cc773036(WS.10).aspx
Thanks a lot!!!
B
History - I recently moved my Enterprise Root Single Node CA to another, new server to upgrade it to 2008 R2.
This went well, except OCS and Exchange 2010 weren't that happy about it. They show that the certificates are troubled and Exchange posts my now favorite thing in the world:
"The certificate status could not be detemined because the revocation check failed."
So on the Exchange Server, I open CertMGR.msc and export the troubled certificate to the desktop. Then I run:
certutil -verify -urlfetch ExchSVRCert.cer > Verify.txt
That pipes out to my txt file so I can search, and sure enough, at the bottom of the output, I have the old CA still listed as a CDP. The new CDP is also listed in this output.
---------------- Certificate CDP ----------------
Verified "Base CRL (08a6)" Time: 0
[0.0] ldap:///CN= MyCompanyName,CN=Old_CA_ServerName,CN=CDP,CN=Public%20Key%20
Expired "Delta CRL (08a6)" Time: 0
[0.0.0] ldap:///CN=MyCompanyName,C
Failed "CDP" Time: 0
Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)[0.1.0] http://Old_CA_ServerName.MyDomain.local/CertEnroll
Failed "CDP" Time: 0
Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007) http://Old_CA_Servername.MyDomain.local /CertEnroll/MyDomain.crl
--------------------------
Question: I know I'm to open the CA Manager has access to the Extensions tab to configure these items...but how do I remove the old CDP and is this what's causing the revocation to fail on the OCS and Exchange certs?
http://technet.microsoft.com/en-us/library/cc773036(WS.10).aspx
Thanks a lot!!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It was correct all along.
So, either you change your new server name to be the same than the old one, either you issue new certificates to all computers who need CDP to be updated.
But I'm not really sure if you can rename a CA server.
And it's not really clear how you transfered your CA to the new one. It was a migration, or did you create a new one?