Avatar of teyers
Flag for United States of America asked on

CRL issues after CA migration

We recently migrated our Microsoft CA off of a DC (DC01) in our environment and moved it to a dedicated server (CERTAUTH). We maintained the old CA Root during the migration. Everything seems to be working correctly, but we have an issue with certificates issues before the migration failing a CRL check. When you look at the certificate, it lists the old server in the CDP: ldap:///CN=xxx-DC01-CA(1),CN=DC01,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=xxx,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint.

All the new certificates list the new CA in the CDP: ldap:///CN=xxx-DC01-CA(1),CN=CERTAUTH,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=xxx,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint 

The old server is still online as a Domain Controller but all the CA roles have been removed. I could reissue all the certificates and everything would be fine, but thats a huge project that would require touching ALOT of computers. 

I have tried a several things, including adding an entry on the CA Properties Extension Tab:ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=DC01,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>

Along with the existing entry: ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass> 

When I run certutil -f -urlfetch -verify against an pre-migration certificate I get this error: ERROR: 

 ----------------  Certificate CDP  ----------------
  Failed "CDP" Time: 0 (null)
    Error retrieving URL: The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)

Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE) CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

If I run the same command against a post-migration certificate, it completes fine.

I know I am missing something simple, but I am at a loss. Can someone please point me in the correct direction?

Thank you

Microsoft* certificate services

Avatar of undefined
Last Comment

8/22/2022 - Mon
David Johnson, CD

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

Yes, they all have the CRL DP embedded in them, I figured it would require that. I have it set in GPO to "Update and manage certificates that use certificate templates from Active Directory" and then I went in CA Templates and "Reenrolled All Certifcate Holders". I have never had to force a reissue of certificates, so I am hoping the documentation is correct.

I will update later.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck