Solved

CDP Location Expiring

Posted on 2011-09-21
11
12,208 Views
Last Modified: 2014-03-31
Hello,

I have a Standalone Enterprise CA running on Windows Server 2008 R2. Through cohincidence I logged into the server and found a warning under 'Enterprise PKI' the the 'CDP Location #1' is going to expire tomorrow. The 'DeltaCRL Location #1' is going to expire tomorrow as well but for some reason there is not Warning active for that one.

No clue what this is about so I did not some research on the internet and here and looks like I have to renew the CDP Location but none of the article explains how I need to do that.

Can aybody please tell me how I can republish the CDP Location and fix this issue? And should I also be concernd about the 'DeltaCRL Location #1'?

Thank you
Mc2102
0
Comment
Question by:Mc2102
  • 6
  • 4
11 Comments
 

Author Comment

by:Mc2102
ID: 36574947
A co-worker of mine just told me that he thinks it will renew itsself. Hmm I am a little nervous about this.
0
 
LVL 8

Accepted Solution

by:
Shmoid earned 500 total points
ID: 36575070
It's the Certification Revocation List (CRL) that is expiring not the CRL Distribution Point (CDP).

You are correct that you must renew it. There are a couple of ways to automate it but unless you set it up it is unlikely that is the case. If it were automated it would likely have been renewed well before the expiration date.

To renew your CRL issue the following command from the command line: certutil -CRL
Then publish it with this command: certutil -dspublish -f -dc "yourDCname.doamin.com"

0
 

Author Comment

by:Mc2102
ID: 36575714
Shmoid,

Just to make sure we are both on the same page I added a screenshot of the Warning I see.

If we are then I will first run the certutil -CRL command and then the command certutil -dspublish -f -dc "yourDCname.doamin.com". I have more then one DC in the domain, can I use any?

Thank you
Mc2102
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:Mc2102
ID: 36575727
Attaching screenshot Screenshot warning
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36576224
Correct, those commands are exactly what you need.  The first column says CDP location to indicate the path to the CRL. It is the CRL that expires.

Yes, you can put any one of your DC's name in quotes in the 2nd command. It will replicate to the other DC's via normal replication.

Just FYI the first command creates a new CRL and puts in C:\WINDOWS\system32\certsrv\CertEnroll on the CA. The second command publishes that new CRL in Active Directory.

0
 

Author Comment

by:Mc2102
ID: 36576728
Shmoid,

Sorry to bother you again with this but now I am evern more confused. I ran the first command:

certutil -CRL

Then I tried to run the second command but it failed and said:

CertUtil: Missing argument

So reading the /? I believe the I have to add the location of the new CRL file as you stated before....BUT when I now check the pkiview.msc console then the warning is gone. So am I done without the second command?
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36576970
Actually no you wouldn't need to specify the CRL location.  The -dspublish switch tells certutil to publish in Active Directory it knows from the existing CRL where to put it.  The -f just means to force overwrite and the -dc "name" specifies a specific DC. You can actually leave that off and in a small environment replication is so fast you wouldn't notice. In a large enterprise environment you can specify a DC so you can quickly see the change on a local DC but it will eventually replicate to all DC's.

It sounds like the command worked but one of the parameters was not recognized. Perhaps you had a space after one of the dashes or maybe left the quotes off the server name? Can you reply and type the command exactly as you did on the command line?

Also, did the date change in pkiview.msc? If so, you're fine for now. What is the CRL validity period? You will need to do this again when that date approaches.

0
 
LVL 8

Assisted Solution

by:Shmoid
Shmoid earned 500 total points
ID: 36577176
Mc2102,

You were absolutely right. I missed the path. The command should be:
certutil -dspublish -f -dc "dcname.domain.com" "c:\path\to\crl\crlname.crl"

I publish my issuing CA's CRL via scheduled task and a batch file. I should have looked at it. It's been so long since I did it manually I forgot about the path. Sorry about that.
0
 

Author Comment

by:Mc2102
ID: 36580517
Shmoid,

Yes the data in pkiview.msc changed and I just checked again and the Warning is gone. What I am a little suprised about is that I do not recall this action ever before and the CA is up and running over a year. The new expiration date is 09/29/2011. I will put that into my calendar. Thank you for your help on this.
0
 

Author Closing Comment

by:Mc2102
ID: 36580527
After running the certutil -CRL command the warning was gone.
0
 

Expert Comment

by:PremCab
ID: 39965986
I have updated the CRL using "certutil -dspublish -f [RootCA.crl] [Root CA name]" command.

It was successful, but the expiry date of the CDP location hasn't been extended.

Any suggestions?
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question