• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 14136
  • Last Modified:

CDP Location Expiring

Hello,

I have a Standalone Enterprise CA running on Windows Server 2008 R2. Through cohincidence I logged into the server and found a warning under 'Enterprise PKI' the the 'CDP Location #1' is going to expire tomorrow. The 'DeltaCRL Location #1' is going to expire tomorrow as well but for some reason there is not Warning active for that one.

No clue what this is about so I did not some research on the internet and here and looks like I have to renew the CDP Location but none of the article explains how I need to do that.

Can aybody please tell me how I can republish the CDP Location and fix this issue? And should I also be concernd about the 'DeltaCRL Location #1'?

Thank you
Mc2102
0
Mc2102
Asked:
Mc2102
  • 6
  • 4
2 Solutions
 
Mc2102Author Commented:
A co-worker of mine just told me that he thinks it will renew itsself. Hmm I am a little nervous about this.
0
 
ShmoidCommented:
It's the Certification Revocation List (CRL) that is expiring not the CRL Distribution Point (CDP).

You are correct that you must renew it. There are a couple of ways to automate it but unless you set it up it is unlikely that is the case. If it were automated it would likely have been renewed well before the expiration date.

To renew your CRL issue the following command from the command line: certutil -CRL
Then publish it with this command: certutil -dspublish -f -dc "yourDCname.doamin.com"

0
 
Mc2102Author Commented:
Shmoid,

Just to make sure we are both on the same page I added a screenshot of the Warning I see.

If we are then I will first run the certutil -CRL command and then the command certutil -dspublish -f -dc "yourDCname.doamin.com". I have more then one DC in the domain, can I use any?

Thank you
Mc2102
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
Mc2102Author Commented:
Attaching screenshot Screenshot warning
0
 
ShmoidCommented:
Correct, those commands are exactly what you need.  The first column says CDP location to indicate the path to the CRL. It is the CRL that expires.

Yes, you can put any one of your DC's name in quotes in the 2nd command. It will replicate to the other DC's via normal replication.

Just FYI the first command creates a new CRL and puts in C:\WINDOWS\system32\certsrv\CertEnroll on the CA. The second command publishes that new CRL in Active Directory.

0
 
Mc2102Author Commented:
Shmoid,

Sorry to bother you again with this but now I am evern more confused. I ran the first command:

certutil -CRL

Then I tried to run the second command but it failed and said:

CertUtil: Missing argument

So reading the /? I believe the I have to add the location of the new CRL file as you stated before....BUT when I now check the pkiview.msc console then the warning is gone. So am I done without the second command?
0
 
ShmoidCommented:
Actually no you wouldn't need to specify the CRL location.  The -dspublish switch tells certutil to publish in Active Directory it knows from the existing CRL where to put it.  The -f just means to force overwrite and the -dc "name" specifies a specific DC. You can actually leave that off and in a small environment replication is so fast you wouldn't notice. In a large enterprise environment you can specify a DC so you can quickly see the change on a local DC but it will eventually replicate to all DC's.

It sounds like the command worked but one of the parameters was not recognized. Perhaps you had a space after one of the dashes or maybe left the quotes off the server name? Can you reply and type the command exactly as you did on the command line?

Also, did the date change in pkiview.msc? If so, you're fine for now. What is the CRL validity period? You will need to do this again when that date approaches.

0
 
ShmoidCommented:
Mc2102,

You were absolutely right. I missed the path. The command should be:
certutil -dspublish -f -dc "dcname.domain.com" "c:\path\to\crl\crlname.crl"

I publish my issuing CA's CRL via scheduled task and a batch file. I should have looked at it. It's been so long since I did it manually I forgot about the path. Sorry about that.
0
 
Mc2102Author Commented:
Shmoid,

Yes the data in pkiview.msc changed and I just checked again and the Warning is gone. What I am a little suprised about is that I do not recall this action ever before and the CA is up and running over a year. The new expiration date is 09/29/2011. I will put that into my calendar. Thank you for your help on this.
0
 
Mc2102Author Commented:
After running the certutil -CRL command the warning was gone.
0
 
PremCabCommented:
I have updated the CRL using "certutil -dspublish -f [RootCA.crl] [Root CA name]" command.

It was successful, but the expiry date of the CDP location hasn't been extended.

Any suggestions?
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now