Solved

Certification Authority Certificate

Posted on 2013-05-29
1
303 Views
Last Modified: 2013-09-25
I have moved the enterprise certification authority to a different server with different name and different os (server 2003 - server 2008 r2).
The main CA certificate is valid through 2018, but its CRL distribution point  still points to an old server (which is still running, but will eventually be shut down).
What is the safest way to update the certificate with a new CDP?
Just renew the CA certificate?
Or what will happen if CDP remains unchanged, but the original server to which it points will be shut down? Will it bring the CA down because there is no server to distribute CRL?

Thanks
0
Comment
Question by:AlexC77
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 31

Accepted Solution

by:
Paranormastic earned 400 total points
ID: 39223657
If you are referring to the CDP (and, I presume, the AIA) of a subordinate CA cert, then update the relevant values on the CA that issued that CA cert (e.g. the root CA) then reissue the CA cert - you might choose to use the 'reusekeys' option in this case) and the new cert should have the new CDP.  Keep in mind that all certs issued under the original cert with the old CDP & AIA will still be chaining to that cert for trust validation, so you may need to reissue all user/machine certs in order to decom that CDP sooner than later.

If you are referring to the same for a normal user/machine cert then do the same updates on the issuing CA & renew/reissue all non-expired certs.

If your networking equipment can handle redirecting the traffic, then you might be able to pull that off & just publish to a newer box & just redirect traffic to there.  You might also be able to do the same by aliasing the existing name to the new location.  On a side note, for your new CDP/AIA if you aren't using a DNS alias then you should so you can load balance & migrate easier.  Pointing to a real server name isn't a great idea (and it publishes your real server name in every cert out there, which some people frown at).  Test this during off hours...  see 'certutil -url FILENAME.CER' for testing...

A common place to stick things is in www.yourdomain.com/repository
That repository should have at least a copy of your root cert linked from a simple page.  If your company has taken the time to write up a Certificate Policy (CP) document (See RFC 3647) or any other legal notices then that kind of thing should be kept there, too.

Alternatively (or in addition to), you could use something like 'pki.yourdomain.com' if you are able to for uses like the CDP, AIA, and OCSP.  This usually works OK if you can get a dns alias but can't link off of your main website.

Also keep in mind you will need to keep re-signing the CRL - do not just make one valid for 3 years and stick it out there (it kind of defeats the purpose) unless you are decomming that PKI (where you revoke all certs & then publish an end of lifetime CRL)


If you have the LDAP CDP that publishes to your CRL to AD & that is still going to be valid then your clients would probably be checking that first, which should help for domain members connected to the network.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question