none
Certificate Authority 2008 - Renewed RootCA Certificate crl

    Question

  • hey

    i had renewed my root CA certificate and i noticed that this certificate has the "CDP" attribute in it.

    i cannot understand why, because i know that root ca's certificate does not need this attribute

    thanks

    dor

    Sunday, August 24, 2014 10:59 AM

Answers

  • It sounds like you have a Server 2003 CA that had a bug in it (there was a patch, but you must have missed it).

    If you renewed with a new key pair, it ignored the capolicy.inf file (with the empty=true option enabled for CDP and AIA). If you renewed again (using the same key pair), then the capolicy.inf file would be read).

    Your unchecking of options did nothing, but the capolicy.inf file (which some else probably set up), did accomplish the fix. This is the method used prior to the release of the patch.

    See http://support.microsoft.com/kb/927169

    Brian

    • Proposed as answer by Brian Komar [MVP]MVP Monday, August 25, 2014 2:40 PM
    • Marked as answer by Dor mar Monday, August 25, 2014 3:32 PM
    Monday, August 25, 2014 2:40 PM
  • I have compiled my list of Hotfixes for ADCS 2003-2012 on my website. I am in the process of having the list vetted by the ADCS PM at Microsoft as well. I will maintain this list and keep it updated in the future as new hotfixes and issues are identified. Take a look and let me know if I am missing any you know of.

    http://pkisolutions.com/adcs-hotfixes


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    Friday, August 29, 2014 7:47 PM

All replies

  • Hi Dor mar,

    I think similar thread sure help you out: http://social.technet.microsoft.com/Forums/windowsserver/en-US/19b635a0-0021-4280-bc20-2f9a35b360fe/windows-2008-standalone-offline-ca-certs-cdp-and-aia-extension-vs-crl-publishing?forum=winserversecurity 


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Sunday, August 24, 2014 12:11 PM
  • I am not sure by what you mean by CDP attribute in the certificate. When you renew, a version number is included in the renewed certificate.

    Original Certificate: RootCA_CorporateRootCA.crt

    Renewal 1: RootCA_CorporateRootCA(1).crt

    Renewal 2: RootCA_CorporateRootCA(2).crt

    Renewal 3: RootCA_CorporateRootCA(3).crt

    and so on.... 

    If the root CA was renewed with a new key pair, then a new CRL is produced (with the matching version number). If the root CA was renewed with the same key pair, then the previous # CRL is used for both the current and previous CA certificate.

    HTH,

    Brian

    Sunday, August 24, 2014 7:09 PM
  • hey

    what i meant is after renewing the root CA certificate on the "details" tab i could find the CRL location... somthing that i know root CA ceritificates shouldnt have...

    what i have done is:

    1)uncheking the publish CRL in issued certificates

    2) renewing the RootCA certificate

    3) re-enabling the publish CRL in issued certificates

    is it healthy?

    thanks

    Monday, August 25, 2014 10:05 AM
  • It sounds like you have a Server 2003 CA that had a bug in it (there was a patch, but you must have missed it).

    If you renewed with a new key pair, it ignored the capolicy.inf file (with the empty=true option enabled for CDP and AIA). If you renewed again (using the same key pair), then the capolicy.inf file would be read).

    Your unchecking of options did nothing, but the capolicy.inf file (which some else probably set up), did accomplish the fix. This is the method used prior to the release of the patch.

    See http://support.microsoft.com/kb/927169

    Brian

    • Proposed as answer by Brian Komar [MVP]MVP Monday, August 25, 2014 2:40 PM
    • Marked as answer by Dor mar Monday, August 25, 2014 3:32 PM
    Monday, August 25, 2014 2:40 PM
  • thanks..

    is there a place that states all the hotfixes/bugs for a given product or feature?

    that I can search before doing those steps?

    Monday, August 25, 2014 3:33 PM
  • Generally yes, but not for ADCS. Its a good idea - perhaps I will make that a list on my BLOG.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    Thursday, August 28, 2014 7:08 PM
  • I have compiled my list of Hotfixes for ADCS 2003-2012 on my website. I am in the process of having the list vetted by the ADCS PM at Microsoft as well. I will maintain this list and keep it updated in the future as new hotfixes and issues are identified. Take a look and let me know if I am missing any you know of.

    http://pkisolutions.com/adcs-hotfixes


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    Friday, August 29, 2014 7:47 PM