none
multiple certificates on Issuing CA server RRS feed

  • Question

  • Hi,

    Due to errors multiple certificates were issued from Root CA server for SubCA. Although old certificate was revoked from Root, but I see 2 certificates on Issuing CA. Also, because of 2 certificates, 2 CRLs are getting published everytime for each. Although when I see web server certificate issued for IIS, it was signed by new certificate of Issuing CA. Also, in PKIview, I see CDP path for this CA with new CRL.

    But my questions is that how shall I remove old one from Issuing CA as I am not gettign that option. Also, in AD i see 2 certficaates published for that CA. Will that cause any issue.

    Thanks


    Neha Garg

    Monday, January 19, 2015 12:07 PM

Answers

  • This is actually a normal state in PKI. When you renew a sub CA with a new key pair, ot will result in multiple CRL files.

    - there is no need to remove the previous subca cert

    - there is no need to revoke the previous subca cert (unless there are config or security issues)

    - make sure the AIA paths use %4 in the paths to keep separate versions

    - make sure that the CDP paths use %9 in the paths to keep separate versions

    - make sure you publish *all* versions of .crts and .crls to *all* publication points

    You need to leave all versions of the CA certs in play so that both current and previously issued certs can be validated

    Brian

    Monday, January 19, 2015 12:28 PM

All replies

  • Can you take a snap and post it here, that where exactly you are trying to delete certificate?

    Regards, Prabhu

    Monday, January 19, 2015 12:27 PM
  • This is actually a normal state in PKI. When you renew a sub CA with a new key pair, ot will result in multiple CRL files.

    - there is no need to remove the previous subca cert

    - there is no need to revoke the previous subca cert (unless there are config or security issues)

    - make sure the AIA paths use %4 in the paths to keep separate versions

    - make sure that the CDP paths use %9 in the paths to keep separate versions

    - make sure you publish *all* versions of .crts and .crls to *all* publication points

    You need to leave all versions of the CA certs in play so that both current and previously issued certs can be validated

    Brian

    Monday, January 19, 2015 12:28 PM
  • What you done is thta you have renewed the CA certificate on issuing CA with new key pair that's the reason you are seeing multiple CA certificates and CRL's

    See the screen shot below where i did the same thing 

    

      Note but you have to take care of points bought up by Brian below

    Puneet Singh

    Monday, January 19, 2015 2:52 PM
  • Thanks Brian and Puneet..yes that happened after renewing it.

    Brian..I was using %3%8 in CDP paths...and seeing unable to download in enterprise pki view for cdp path whereas aia path is coming ok in it..i will add%9 also in CDP and will check.

    Adding these things should take care of "make sure you publish *all* versions of .crts and .crls to *all* publication points", right ?


    Neha Garg

    Monday, January 19, 2015 7:57 PM
  • Also, one thing was fishy that CDP path in enterprise pki view was showing unable to download but when I open that CDP path in IE, I was able to do so.

    Neha Garg

    Monday, January 19, 2015 7:59 PM
  • Once you have fixed everything try to revoke the CA exchange cert and as soon as the new one will be published with proper path the enterprise PKI view will get fixed.

    Puneet Singh


    • Edited by Learning-PKI Tuesday, January 20, 2015 5:11 PM fixed typo
    Monday, January 19, 2015 8:03 PM