locked
New certificate authority - but still looking for old CRL RRS feed

  • General discussion

  • Hey

    New certificate authority - but still looking for old CRL.

    If I delete the old CRL-file clients are unable to connect to direct access.

    We have selected the new certificate in configuration 

    Any ideas?

    Mike

    Monday, March 30, 2015 4:43 PM

All replies

  • Hi,

    If you change configuration, new GPOs are deployed and must be applied to DirectAccess clients. If your DirectAccess clients need the old CRL, it means that you use your internal ADCS to deliver the IPHTTPS certificate. In this situation, your DirectAccess clients does not trust your new AC or your new AC does not have it's CRL published on Internet.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Monday, March 30, 2015 7:10 PM
  • Hello Mike,

    This is a quite common mistake that i have observed in most of the migrations.

    I guess you are trying to move the CA from one server to the other ? or from old CA to a New CA ?

    When a CA issues a Digital Certificate (a simple 10 KB file) it adds a attribute called "[1]CRL Distribution Point" and value something like "URL=http://mscrl.microsoft.com/pki/mscorp/crl/msitwww2.crl". After you migrate CA to new server; still the Digital Certificates that was distributed all over your network (just the files) has the same old value (that points to old server) which hasn't been changed. - and this is why your Windows looks for old CRL location (Server) even after migration.

    You can confirm this by picking up any cert issued by old CA and go to "Details" tab and look for "[1]CRL Distribution Point"

    To resolve this issue, you have two options.

    Either to Create a DNS entry with the OLDSERVER's name and point to new Server's IP OR

    Revoke all the certificates issued by old CA and issue clients certificates from new CA with new CRL Value.

    Please let me know, how it goes.

    Friday, April 17, 2015 11:58 AM
  • Hey

    I have just found the solution: https://support.microsoft.com/en-us/kb/973982/ 

    (Seems to also apply to Windows 2012 R2)

    Mike

    Tuesday, April 21, 2015 6:14 AM
  • Hi,

    This KB is related to problems with IPHTTPS certificate binding. It will only remove the link in HTTP.SYS to be sure that you can bind a new certificate for HTTP.SYS.

    Bottom line, if changing the certificate fix your problem, it's because you are using an IPHTTPS certificate delivered from an internal AC, not a public AC. In this case, your CRL must be published on Internet.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, April 21, 2015 6:22 AM