Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 308
  • Last Modified:

Certification Authority Certificate

I have moved the enterprise certification authority to a different server with different name and different os (server 2003 - server 2008 r2).
The main CA certificate is valid through 2018, but its CRL distribution point  still points to an old server (which is still running, but will eventually be shut down).
What is the safest way to update the certificate with a new CDP?
Just renew the CA certificate?
Or what will happen if CDP remains unchanged, but the original server to which it points will be shut down? Will it bring the CA down because there is no server to distribute CRL?

Thanks
0
AlexC77
Asked:
AlexC77
1 Solution
 
ParanormasticCryptographic EngineerCommented:
If you are referring to the CDP (and, I presume, the AIA) of a subordinate CA cert, then update the relevant values on the CA that issued that CA cert (e.g. the root CA) then reissue the CA cert - you might choose to use the 'reusekeys' option in this case) and the new cert should have the new CDP.  Keep in mind that all certs issued under the original cert with the old CDP & AIA will still be chaining to that cert for trust validation, so you may need to reissue all user/machine certs in order to decom that CDP sooner than later.

If you are referring to the same for a normal user/machine cert then do the same updates on the issuing CA & renew/reissue all non-expired certs.

If your networking equipment can handle redirecting the traffic, then you might be able to pull that off & just publish to a newer box & just redirect traffic to there.  You might also be able to do the same by aliasing the existing name to the new location.  On a side note, for your new CDP/AIA if you aren't using a DNS alias then you should so you can load balance & migrate easier.  Pointing to a real server name isn't a great idea (and it publishes your real server name in every cert out there, which some people frown at).  Test this during off hours...  see 'certutil -url FILENAME.CER' for testing...

A common place to stick things is in www.yourdomain.com/repository
That repository should have at least a copy of your root cert linked from a simple page.  If your company has taken the time to write up a Certificate Policy (CP) document (See RFC 3647) or any other legal notices then that kind of thing should be kept there, too.

Alternatively (or in addition to), you could use something like 'pki.yourdomain.com' if you are able to for uses like the CDP, AIA, and OCSP.  This usually works OK if you can get a dns alias but can't link off of your main website.

Also keep in mind you will need to keep re-signing the CRL - do not just make one valid for 3 years and stick it out there (it kind of defeats the purpose) unless you are decomming that PKI (where you revoke all certs & then publish an end of lifetime CRL)


If you have the LDAP CDP that publishes to your CRL to AD & that is still going to be valid then your clients would probably be checking that first, which should help for domain members connected to the network.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Tackle projects and never again get stuck behind a technical roadblock.
Join Now