Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Certification Authority Certificate

Posted on 2013-05-29
1
Medium Priority
?
306 Views
Last Modified: 2013-09-25
I have moved the enterprise certification authority to a different server with different name and different os (server 2003 - server 2008 r2).
The main CA certificate is valid through 2018, but its CRL distribution point  still points to an old server (which is still running, but will eventually be shut down).
What is the safest way to update the certificate with a new CDP?
Just renew the CA certificate?
Or what will happen if CDP remains unchanged, but the original server to which it points will be shut down? Will it bring the CA down because there is no server to distribute CRL?

Thanks
0
Comment
Question by:AlexC77
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 31

Accepted Solution

by:
Paranormastic earned 1600 total points
ID: 39223657
If you are referring to the CDP (and, I presume, the AIA) of a subordinate CA cert, then update the relevant values on the CA that issued that CA cert (e.g. the root CA) then reissue the CA cert - you might choose to use the 'reusekeys' option in this case) and the new cert should have the new CDP.  Keep in mind that all certs issued under the original cert with the old CDP & AIA will still be chaining to that cert for trust validation, so you may need to reissue all user/machine certs in order to decom that CDP sooner than later.

If you are referring to the same for a normal user/machine cert then do the same updates on the issuing CA & renew/reissue all non-expired certs.

If your networking equipment can handle redirecting the traffic, then you might be able to pull that off & just publish to a newer box & just redirect traffic to there.  You might also be able to do the same by aliasing the existing name to the new location.  On a side note, for your new CDP/AIA if you aren't using a DNS alias then you should so you can load balance & migrate easier.  Pointing to a real server name isn't a great idea (and it publishes your real server name in every cert out there, which some people frown at).  Test this during off hours...  see 'certutil -url FILENAME.CER' for testing...

A common place to stick things is in www.yourdomain.com/repository
That repository should have at least a copy of your root cert linked from a simple page.  If your company has taken the time to write up a Certificate Policy (CP) document (See RFC 3647) or any other legal notices then that kind of thing should be kept there, too.

Alternatively (or in addition to), you could use something like 'pki.yourdomain.com' if you are able to for uses like the CDP, AIA, and OCSP.  This usually works OK if you can get a dns alias but can't link off of your main website.

Also keep in mind you will need to keep re-signing the CRL - do not just make one valid for 3 years and stick it out there (it kind of defeats the purpose) unless you are decomming that PKI (where you revoke all certs & then publish an end of lifetime CRL)


If you have the LDAP CDP that publishes to your CRL to AD & that is still going to be valid then your clients would probably be checking that first, which should help for domain members connected to the network.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question