Windows 2008 CA and Internal CRL

Am I correct in saying that if a internal Cert if published and the location for the CRL changes the issued certs would need to be revoked and reissued?
LVL 20
compdigit44Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jakob DigranesSenior ConsultantCommented:
Yes --- most services need to check CRL

But there's no way of keeping any of the existing CRL publishing locations inplace until certificate expires?
0
compdigit44Author Commented:
That is the thing I am recreating the old CRL location..
0
Jakob DigranesSenior ConsultantCommented:
so the issued certificate have the following CRL;
http://pki.yourdomain.com 

and you remove this, recreate a new server where http://pki.yourdomain.com points to?

in that case, all you need is to publish CRL to new location and you're all good.
What kind of cert is this? one WebServer cert or thousands of client certs??
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

compdigit44Author Commented:
What I was able to do was on a web server recreate the old CRL name and was able to get the CRL to work again...

Them mean my issued certs will now see the existing CRL again correct.. Was my approach to this issue correct?
0
Jakob DigranesSenior ConsultantCommented:
Yes --- should be okay. Easy way to test, start pkiview.msc from your CA ---- fingers crossed, and all greeen check marks :-)
0
compdigit44Author Commented:
It did just this and it work I just wanted to make sure my thought process was correct..

ON a side note, what would happen to already issued certs if they could not access the CRL?
0
Jakob DigranesSenior ConsultantCommented:
the certs never access CRL, but the service they're used for might do, For instance, if you use certificates for authentication to a wired or wireless network in a 802.1X deployment, the Radius server would check the CRL to see if certificate still is valid, if the CRL is unavailable, Radius might deny access to clients - given the fact that it would not know if certificates are valid or not.

For a secured web server, clients might give a warning that CRL is not available, and for Direct Access with cert - clients would not connect --- +++
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
compdigit44Author Commented:
So a user cert that is already issued will not reference the CRL yet I notice new one are not getting deployed because they cannot access the CRL..
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.