Link to home
Create AccountLog in
Avatar of jbla9028
jbla9028Flag for United States of America

asked on

WindowsCA Certificate Revocation Checking

I have deployed a WindowsCA. I have an offline Root CA and an Enterprise Suboridinate. We issue all the certificates from the subordinate. After checking some configuration, I noticed the url used for the CRLs is invalid and clients cannot communicate to check CRLs. I need to add a valid CRL location. My questions below

1. how will this effect existing certificates in the wild? I am OK knowing the existing certs out there will not be checked for revocation as long as new Certs are.

2. Do I need to re-key and distribute a new Subordinate certificate after I modify the Extensions (CDP/AIA)?


Thank you in advance.
ASKER CERTIFIED SOLUTION
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of jbla9028

ASKER

If I add a new CRL location, will new certificates issued by the Subordinate receive the CRL location or do I need to rekey my Subordinate CA for this to work? thank you for your help thus far.