Solved

Certification Authority Certificate

Posted on 2013-05-29
1
295 Views
Last Modified: 2013-09-25
I have moved the enterprise certification authority to a different server with different name and different os (server 2003 - server 2008 r2).
The main CA certificate is valid through 2018, but its CRL distribution point  still points to an old server (which is still running, but will eventually be shut down).
What is the safest way to update the certificate with a new CDP?
Just renew the CA certificate?
Or what will happen if CDP remains unchanged, but the original server to which it points will be shut down? Will it bring the CA down because there is no server to distribute CRL?

Thanks
0
Comment
Question by:AlexC77
1 Comment
 
LVL 31

Accepted Solution

by:
Paranormastic earned 400 total points
ID: 39223657
If you are referring to the CDP (and, I presume, the AIA) of a subordinate CA cert, then update the relevant values on the CA that issued that CA cert (e.g. the root CA) then reissue the CA cert - you might choose to use the 'reusekeys' option in this case) and the new cert should have the new CDP.  Keep in mind that all certs issued under the original cert with the old CDP & AIA will still be chaining to that cert for trust validation, so you may need to reissue all user/machine certs in order to decom that CDP sooner than later.

If you are referring to the same for a normal user/machine cert then do the same updates on the issuing CA & renew/reissue all non-expired certs.

If your networking equipment can handle redirecting the traffic, then you might be able to pull that off & just publish to a newer box & just redirect traffic to there.  You might also be able to do the same by aliasing the existing name to the new location.  On a side note, for your new CDP/AIA if you aren't using a DNS alias then you should so you can load balance & migrate easier.  Pointing to a real server name isn't a great idea (and it publishes your real server name in every cert out there, which some people frown at).  Test this during off hours...  see 'certutil -url FILENAME.CER' for testing...

A common place to stick things is in www.yourdomain.com/repository
That repository should have at least a copy of your root cert linked from a simple page.  If your company has taken the time to write up a Certificate Policy (CP) document (See RFC 3647) or any other legal notices then that kind of thing should be kept there, too.

Alternatively (or in addition to), you could use something like 'pki.yourdomain.com' if you are able to for uses like the CDP, AIA, and OCSP.  This usually works OK if you can get a dns alias but can't link off of your main website.

Also keep in mind you will need to keep re-signing the CRL - do not just make one valid for 3 years and stick it out there (it kind of defeats the purpose) unless you are decomming that PKI (where you revoke all certs & then publish an end of lifetime CRL)


If you have the LDAP CDP that publishes to your CRL to AD & that is still going to be valid then your clients would probably be checking that first, which should help for domain members connected to the network.
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been working as System Administrators since 2003. I recently started working as a FreeLancer and was amazed to find out that very few people are taking full advantage of their Windows Server Machines. Microsoft Windows Server comes with so…
I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now