Certificate Authority - Remove Orphaned CDP post CA Migration

Hey everyone,


History - I recently moved my Enterprise Root Single Node CA to another, new server to upgrade it to 2008 R2.  
This went well, except OCS and Exchange 2010 weren't that happy about it.  They show that the certificates are troubled and Exchange posts my now favorite thing in the world:
 "The certificate status could not be detemined because the revocation check failed."
So on the Exchange Server, I open CertMGR.msc and export the troubled certificate to the desktop.  Then I run:
 certutil -verify -urlfetch ExchSVRCert.cer > Verify.txt
That pipes out to my txt file so I can search, and sure enough, at the bottom of the output, I have the old CA still listed as a CDP.  The new CDP is also listed in this output.
----------------  Certificate CDP  ----------------
Verified "Base CRL (08a6)" Time: 0
[0.0] ldap:///CN= MyCompanyName,CN=Old_CA_ServerName,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=MyDomain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Expired "Delta CRL (08a6)" Time: 0
 [0.0.0] ldap:///CN=MyCompanyName,CN=Old_CA_Servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=MyDomain,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint
Failed "CDP" Time: 0
 Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)[0.1.0] http://Old_CA_ServerName.MyDomain.local/CertEnroll/MyDomain.crl
Failed "CDP" Time: 0
 Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)    http://Old_CA_Servername.MyDomain.local /CertEnroll/MyDomain.crl

Question:  I know I'm to open the CA Manager has access to the Extensions tab to configure these items...but how do I remove the old CDP and is this what's causing the revocation to fail on the OCS and Exchange certs?

Thanks a lot!!!
Who is Participating?
inverted_2000Author Commented:

It is supported to move from a CA to another server with a different name.
This had to be done because my old server was a domain controller and when moving a CA you have to take the old one compeltely offline...and sense my old CA was also a DC, it had double the reason to go offline.

During the migration, the database from the old is moved as well as the registry key with the configuration settings:

Please view:
If you have move questions about migrations but there it states:
"You can migrate CA to another server with different name than previous server. Understand, You can have any name of the member server considering you don't change the CA certificate name."
This turned out to be true.

Now that it's moved to the new node...I can issue new certificates, for example, AUTO ENROLL for my user account to my own PC with a built in template.
The CA sees the request and issues the certificate and everything is cool...until I verify the certificate with:

certutil -verify -urlfetch ExchSVRCert.cer > Verify.txt

and I see the old CA Server name as a CDP at the bottom of the output.

How do I get that out of there :o)

Once a certificate is issued, you cannot change any property.
So, either you change your new server name to be the same than the old one, either you issue new certificates to all computers who need CDP to be updated.
But I'm not really sure if you can rename a CA server.
And it's not really clear how you transfered your CA to the new one. It was a migration, or did you create a new one?
inverted_2000Author Commented:
It was correct all along.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.