Link to home
Create AccountLog in
Avatar of teyers
teyersFlag for United States of America

asked on

CRL issues after CA migration

We recently migrated our Microsoft CA off of a DC (DC01) in our environment and moved it to a dedicated server (CERTAUTH). We maintained the old CA Root during the migration. Everything seems to be working correctly, but we have an issue with certificates issues before the migration failing a CRL check. When you look at the certificate, it lists the old server in the CDP: ldap:///CN=xxx-DC01-CA(1),CN=DC01,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=xxx,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint.

All the new certificates list the new CA in the CDP: ldap:///CN=xxx-DC01-CA(1),CN=CERTAUTH,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=xxx,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint 

The old server is still online as a Domain Controller but all the CA roles have been removed. I could reissue all the certificates and everything would be fine, but thats a huge project that would require touching ALOT of computers. 

I have tried a several things, including adding an entry on the CA Properties Extension Tab:ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=DC01,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>

Along with the existing entry: ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass> 

When I run certutil -f -urlfetch -verify against an pre-migration certificate I get this error: ERROR: 

 ----------------  Certificate CDP  ----------------
  Failed "CDP" Time: 0 (null)
    Error retrieving URL: The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)

Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE) CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

If I run the same command against a post-migration certificate, it completes fine.

I know I am missing something simple, but I am at a loss. Can someone please point me in the correct direction?

Thank you

Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of teyers


Yes, they all have the CRL DP embedded in them, I figured it would require that. I have it set in GPO to "Update and manage certificates that use certificate templates from Active Directory" and then I went in CA Templates and "Reenrolled All Certifcate Holders". I have never had to force a reissue of certificates, so I am hoping the documentation is correct.

I will update later.