Solved

CDP Location Expiring

Posted on 2011-09-21
11
11,930 Views
Last Modified: 2014-03-31
Hello,

I have a Standalone Enterprise CA running on Windows Server 2008 R2. Through cohincidence I logged into the server and found a warning under 'Enterprise PKI' the the 'CDP Location #1' is going to expire tomorrow. The 'DeltaCRL Location #1' is going to expire tomorrow as well but for some reason there is not Warning active for that one.

No clue what this is about so I did not some research on the internet and here and looks like I have to renew the CDP Location but none of the article explains how I need to do that.

Can aybody please tell me how I can republish the CDP Location and fix this issue? And should I also be concernd about the 'DeltaCRL Location #1'?

Thank you
Mc2102
0
Comment
Question by:Mc2102
  • 6
  • 4
11 Comments
 

Author Comment

by:Mc2102
ID: 36574947
A co-worker of mine just told me that he thinks it will renew itsself. Hmm I am a little nervous about this.
0
 
LVL 8

Accepted Solution

by:
Shmoid earned 500 total points
ID: 36575070
It's the Certification Revocation List (CRL) that is expiring not the CRL Distribution Point (CDP).

You are correct that you must renew it. There are a couple of ways to automate it but unless you set it up it is unlikely that is the case. If it were automated it would likely have been renewed well before the expiration date.

To renew your CRL issue the following command from the command line: certutil -CRL
Then publish it with this command: certutil -dspublish -f -dc "yourDCname.doamin.com"

0
 

Author Comment

by:Mc2102
ID: 36575714
Shmoid,

Just to make sure we are both on the same page I added a screenshot of the Warning I see.

If we are then I will first run the certutil -CRL command and then the command certutil -dspublish -f -dc "yourDCname.doamin.com". I have more then one DC in the domain, can I use any?

Thank you
Mc2102
0
 

Author Comment

by:Mc2102
ID: 36575727
Attaching screenshot Screenshot warning
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36576224
Correct, those commands are exactly what you need.  The first column says CDP location to indicate the path to the CRL. It is the CRL that expires.

Yes, you can put any one of your DC's name in quotes in the 2nd command. It will replicate to the other DC's via normal replication.

Just FYI the first command creates a new CRL and puts in C:\WINDOWS\system32\certsrv\CertEnroll on the CA. The second command publishes that new CRL in Active Directory.

0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:Mc2102
ID: 36576728
Shmoid,

Sorry to bother you again with this but now I am evern more confused. I ran the first command:

certutil -CRL

Then I tried to run the second command but it failed and said:

CertUtil: Missing argument

So reading the /? I believe the I have to add the location of the new CRL file as you stated before....BUT when I now check the pkiview.msc console then the warning is gone. So am I done without the second command?
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36576970
Actually no you wouldn't need to specify the CRL location.  The -dspublish switch tells certutil to publish in Active Directory it knows from the existing CRL where to put it.  The -f just means to force overwrite and the -dc "name" specifies a specific DC. You can actually leave that off and in a small environment replication is so fast you wouldn't notice. In a large enterprise environment you can specify a DC so you can quickly see the change on a local DC but it will eventually replicate to all DC's.

It sounds like the command worked but one of the parameters was not recognized. Perhaps you had a space after one of the dashes or maybe left the quotes off the server name? Can you reply and type the command exactly as you did on the command line?

Also, did the date change in pkiview.msc? If so, you're fine for now. What is the CRL validity period? You will need to do this again when that date approaches.

0
 
LVL 8

Assisted Solution

by:Shmoid
Shmoid earned 500 total points
ID: 36577176
Mc2102,

You were absolutely right. I missed the path. The command should be:
certutil -dspublish -f -dc "dcname.domain.com" "c:\path\to\crl\crlname.crl"

I publish my issuing CA's CRL via scheduled task and a batch file. I should have looked at it. It's been so long since I did it manually I forgot about the path. Sorry about that.
0
 

Author Comment

by:Mc2102
ID: 36580517
Shmoid,

Yes the data in pkiview.msc changed and I just checked again and the Warning is gone. What I am a little suprised about is that I do not recall this action ever before and the CA is up and running over a year. The new expiration date is 09/29/2011. I will put that into my calendar. Thank you for your help on this.
0
 

Author Closing Comment

by:Mc2102
ID: 36580527
After running the certutil -CRL command the warning was gone.
0
 

Expert Comment

by:PremCab
ID: 39965986
I have updated the CRL using "certutil -dspublish -f [RootCA.crl] [Root CA name]" command.

It was successful, but the expiry date of the CDP location hasn't been extended.

Any suggestions?
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint a…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now