Solved

CDP Location Expiring

Posted on 2011-09-21
11
13,037 Views
Last Modified: 2014-03-31
Hello,

I have a Standalone Enterprise CA running on Windows Server 2008 R2. Through cohincidence I logged into the server and found a warning under 'Enterprise PKI' the the 'CDP Location #1' is going to expire tomorrow. The 'DeltaCRL Location #1' is going to expire tomorrow as well but for some reason there is not Warning active for that one.

No clue what this is about so I did not some research on the internet and here and looks like I have to renew the CDP Location but none of the article explains how I need to do that.

Can aybody please tell me how I can republish the CDP Location and fix this issue? And should I also be concernd about the 'DeltaCRL Location #1'?

Thank you
Mc2102
0
Comment
Question by:Mc2102
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 

Author Comment

by:Mc2102
ID: 36574947
A co-worker of mine just told me that he thinks it will renew itsself. Hmm I am a little nervous about this.
0
 
LVL 8

Accepted Solution

by:
Shmoid earned 500 total points
ID: 36575070
It's the Certification Revocation List (CRL) that is expiring not the CRL Distribution Point (CDP).

You are correct that you must renew it. There are a couple of ways to automate it but unless you set it up it is unlikely that is the case. If it were automated it would likely have been renewed well before the expiration date.

To renew your CRL issue the following command from the command line: certutil -CRL
Then publish it with this command: certutil -dspublish -f -dc "yourDCname.doamin.com"

0
 

Author Comment

by:Mc2102
ID: 36575714
Shmoid,

Just to make sure we are both on the same page I added a screenshot of the Warning I see.

If we are then I will first run the certutil -CRL command and then the command certutil -dspublish -f -dc "yourDCname.doamin.com". I have more then one DC in the domain, can I use any?

Thank you
Mc2102
0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 

Author Comment

by:Mc2102
ID: 36575727
Attaching screenshot Screenshot warning
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36576224
Correct, those commands are exactly what you need.  The first column says CDP location to indicate the path to the CRL. It is the CRL that expires.

Yes, you can put any one of your DC's name in quotes in the 2nd command. It will replicate to the other DC's via normal replication.

Just FYI the first command creates a new CRL and puts in C:\WINDOWS\system32\certsrv\CertEnroll on the CA. The second command publishes that new CRL in Active Directory.

0
 

Author Comment

by:Mc2102
ID: 36576728
Shmoid,

Sorry to bother you again with this but now I am evern more confused. I ran the first command:

certutil -CRL

Then I tried to run the second command but it failed and said:

CertUtil: Missing argument

So reading the /? I believe the I have to add the location of the new CRL file as you stated before....BUT when I now check the pkiview.msc console then the warning is gone. So am I done without the second command?
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36576970
Actually no you wouldn't need to specify the CRL location.  The -dspublish switch tells certutil to publish in Active Directory it knows from the existing CRL where to put it.  The -f just means to force overwrite and the -dc "name" specifies a specific DC. You can actually leave that off and in a small environment replication is so fast you wouldn't notice. In a large enterprise environment you can specify a DC so you can quickly see the change on a local DC but it will eventually replicate to all DC's.

It sounds like the command worked but one of the parameters was not recognized. Perhaps you had a space after one of the dashes or maybe left the quotes off the server name? Can you reply and type the command exactly as you did on the command line?

Also, did the date change in pkiview.msc? If so, you're fine for now. What is the CRL validity period? You will need to do this again when that date approaches.

0
 
LVL 8

Assisted Solution

by:Shmoid
Shmoid earned 500 total points
ID: 36577176
Mc2102,

You were absolutely right. I missed the path. The command should be:
certutil -dspublish -f -dc "dcname.domain.com" "c:\path\to\crl\crlname.crl"

I publish my issuing CA's CRL via scheduled task and a batch file. I should have looked at it. It's been so long since I did it manually I forgot about the path. Sorry about that.
0
 

Author Comment

by:Mc2102
ID: 36580517
Shmoid,

Yes the data in pkiview.msc changed and I just checked again and the Warning is gone. What I am a little suprised about is that I do not recall this action ever before and the CA is up and running over a year. The new expiration date is 09/29/2011. I will put that into my calendar. Thank you for your help on this.
0
 

Author Closing Comment

by:Mc2102
ID: 36580527
After running the certutil -CRL command the warning was gone.
0
 

Expert Comment

by:PremCab
ID: 39965986
I have updated the CRL using "certutil -dspublish -f [RootCA.crl] [Root CA name]" command.

It was successful, but the expiry date of the CDP location hasn't been extended.

Any suggestions?
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question