Certification Authority Certificate

I have moved the enterprise certification authority to a different server with different name and different os (server 2003 - server 2008 r2).
The main CA certificate is valid through 2018, but its CRL distribution point  still points to an old server (which is still running, but will eventually be shut down).
What is the safest way to update the certificate with a new CDP?
Just renew the CA certificate?
Or what will happen if CDP remains unchanged, but the original server to which it points will be shut down? Will it bring the CA down because there is no server to distribute CRL?

Thanks
LVL 1
AlexC77Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
If you are referring to the CDP (and, I presume, the AIA) of a subordinate CA cert, then update the relevant values on the CA that issued that CA cert (e.g. the root CA) then reissue the CA cert - you might choose to use the 'reusekeys' option in this case) and the new cert should have the new CDP.  Keep in mind that all certs issued under the original cert with the old CDP & AIA will still be chaining to that cert for trust validation, so you may need to reissue all user/machine certs in order to decom that CDP sooner than later.

If you are referring to the same for a normal user/machine cert then do the same updates on the issuing CA & renew/reissue all non-expired certs.

If your networking equipment can handle redirecting the traffic, then you might be able to pull that off & just publish to a newer box & just redirect traffic to there.  You might also be able to do the same by aliasing the existing name to the new location.  On a side note, for your new CDP/AIA if you aren't using a DNS alias then you should so you can load balance & migrate easier.  Pointing to a real server name isn't a great idea (and it publishes your real server name in every cert out there, which some people frown at).  Test this during off hours...  see 'certutil -url FILENAME.CER' for testing...

A common place to stick things is in www.yourdomain.com/repository
That repository should have at least a copy of your root cert linked from a simple page.  If your company has taken the time to write up a Certificate Policy (CP) document (See RFC 3647) or any other legal notices then that kind of thing should be kept there, too.

Alternatively (or in addition to), you could use something like 'pki.yourdomain.com' if you are able to for uses like the CDP, AIA, and OCSP.  This usually works OK if you can get a dns alias but can't link off of your main website.

Also keep in mind you will need to keep re-signing the CRL - do not just make one valid for 3 years and stick it out there (it kind of defeats the purpose) unless you are decomming that PKI (where you revoke all certs & then publish an end of lifetime CRL)


If you have the LDAP CDP that publishes to your CRL to AD & that is still going to be valid then your clients would probably be checking that first, which should help for domain members connected to the network.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.