Solved

CDP Location Expiring

Posted on 2011-09-21
11
12,774 Views
Last Modified: 2014-03-31
Hello,

I have a Standalone Enterprise CA running on Windows Server 2008 R2. Through cohincidence I logged into the server and found a warning under 'Enterprise PKI' the the 'CDP Location #1' is going to expire tomorrow. The 'DeltaCRL Location #1' is going to expire tomorrow as well but for some reason there is not Warning active for that one.

No clue what this is about so I did not some research on the internet and here and looks like I have to renew the CDP Location but none of the article explains how I need to do that.

Can aybody please tell me how I can republish the CDP Location and fix this issue? And should I also be concernd about the 'DeltaCRL Location #1'?

Thank you
Mc2102
0
Comment
Question by:Mc2102
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 

Author Comment

by:Mc2102
ID: 36574947
A co-worker of mine just told me that he thinks it will renew itsself. Hmm I am a little nervous about this.
0
 
LVL 8

Accepted Solution

by:
Shmoid earned 500 total points
ID: 36575070
It's the Certification Revocation List (CRL) that is expiring not the CRL Distribution Point (CDP).

You are correct that you must renew it. There are a couple of ways to automate it but unless you set it up it is unlikely that is the case. If it were automated it would likely have been renewed well before the expiration date.

To renew your CRL issue the following command from the command line: certutil -CRL
Then publish it with this command: certutil -dspublish -f -dc "yourDCname.doamin.com"

0
 

Author Comment

by:Mc2102
ID: 36575714
Shmoid,

Just to make sure we are both on the same page I added a screenshot of the Warning I see.

If we are then I will first run the certutil -CRL command and then the command certutil -dspublish -f -dc "yourDCname.doamin.com". I have more then one DC in the domain, can I use any?

Thank you
Mc2102
0
How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

 

Author Comment

by:Mc2102
ID: 36575727
Attaching screenshot Screenshot warning
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36576224
Correct, those commands are exactly what you need.  The first column says CDP location to indicate the path to the CRL. It is the CRL that expires.

Yes, you can put any one of your DC's name in quotes in the 2nd command. It will replicate to the other DC's via normal replication.

Just FYI the first command creates a new CRL and puts in C:\WINDOWS\system32\certsrv\CertEnroll on the CA. The second command publishes that new CRL in Active Directory.

0
 

Author Comment

by:Mc2102
ID: 36576728
Shmoid,

Sorry to bother you again with this but now I am evern more confused. I ran the first command:

certutil -CRL

Then I tried to run the second command but it failed and said:

CertUtil: Missing argument

So reading the /? I believe the I have to add the location of the new CRL file as you stated before....BUT when I now check the pkiview.msc console then the warning is gone. So am I done without the second command?
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36576970
Actually no you wouldn't need to specify the CRL location.  The -dspublish switch tells certutil to publish in Active Directory it knows from the existing CRL where to put it.  The -f just means to force overwrite and the -dc "name" specifies a specific DC. You can actually leave that off and in a small environment replication is so fast you wouldn't notice. In a large enterprise environment you can specify a DC so you can quickly see the change on a local DC but it will eventually replicate to all DC's.

It sounds like the command worked but one of the parameters was not recognized. Perhaps you had a space after one of the dashes or maybe left the quotes off the server name? Can you reply and type the command exactly as you did on the command line?

Also, did the date change in pkiview.msc? If so, you're fine for now. What is the CRL validity period? You will need to do this again when that date approaches.

0
 
LVL 8

Assisted Solution

by:Shmoid
Shmoid earned 500 total points
ID: 36577176
Mc2102,

You were absolutely right. I missed the path. The command should be:
certutil -dspublish -f -dc "dcname.domain.com" "c:\path\to\crl\crlname.crl"

I publish my issuing CA's CRL via scheduled task and a batch file. I should have looked at it. It's been so long since I did it manually I forgot about the path. Sorry about that.
0
 

Author Comment

by:Mc2102
ID: 36580517
Shmoid,

Yes the data in pkiview.msc changed and I just checked again and the Warning is gone. What I am a little suprised about is that I do not recall this action ever before and the CA is up and running over a year. The new expiration date is 09/29/2011. I will put that into my calendar. Thank you for your help on this.
0
 

Author Closing Comment

by:Mc2102
ID: 36580527
After running the certutil -CRL command the warning was gone.
0
 

Expert Comment

by:PremCab
ID: 39965986
I have updated the CRL using "certutil -dspublish -f [RootCA.crl] [Root CA name]" command.

It was successful, but the expiry date of the CDP location hasn't been extended.

Any suggestions?
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question