none
Asking for a friend... I goofed the CDP location on a PKI deployment. How do I recover? RRS feed

  • Question

  • Two tier PKI in Parent Child Domain. ROOT is online but only one template (SubCA) SUB is issuing certs to users, computers, servers, etc...

    At some point, the CDP extensions on the ROOT CA was modified to include a deltaCRL. Didn't really want this so removed it.

    The CDP extensions on the SUB CA was modified to include the wrong location. It was changed to reflect the correct location.

    Now when I look in PKIView.msc, The ROOT DeltaCRL location point directly to the ROOTCA.crl. Not to the nonexistent ROOTCA+.crl

    Also, the SUB CA has an error because the CRL Distribution Points points to the ROOTCA.crl… It should be SUBCA.crl

    Is there an easy recovery which doesn't require reissuing all certs?


    I do this cause it pays the bills...

    Thursday, September 26, 2019 3:47 PM

Answers

All replies

  • Hello,
    Thank you for posting in our TechNet forum. 

    We can troubleshoot according to the similar case

    Certificate Revocation checks, CDP and AIA failing from a different subnet
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/a688e9bf-1b8f-4a91-a999-fd66ddd287cb/certificate-revocation-checks-cdp-and-aia-failing-from-a-different-subnet?forum=winserversecurity



    Here is an article about setting up two tier CA step by step.
    https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx




    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 27, 2019 7:46 AM
    Moderator
  • I am comparing the CDP entries I have with the ones in the link you provided.

    Two issues are rolled into this one aside from my obvious shortcomings in understanding PKI.


    PKIView.msc displays (Names changed to protect the innocent) this info:

    Am I missing something on the delta aspect? I would prefer my ROOTCA not publish delta crl.

    Digging into the SUBCA certificate with the Unknown Error, I find the Details of the CRL Distribution Points field has a poorly defined URL of: "http://SubCa.MyCo.Co.prv/CRL/ROOTCA.crl"

    Should this not read: "http://SubCa.MyCo.Co.prv/CRL/SUBCA.crl"?

    Any help you could provide is as always, greatly appreciated.


    I do this cause it pays the bills...


    • Edited by Bimpster Friday, September 27, 2019 3:18 PM
    Friday, September 27, 2019 3:15 PM
  • Hi,
    In my CA test environment, I can see root CA:


    And sub CA:



    We can compare the above information in your  environment. 

    And if we need to modify, we can remove it and readd it through subCA Properties-> Extension tab.





    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 1, 2019 8:49 AM
    Moderator
  • Thank you Daisy,

    You're not getting what I'm throwing out there...

    My ROOT has a DeltaCRL+ and shouldn't have one.

    My Issuing SUB has a CRL which points to the ROOT instead of itself even though the extensions clearly indicate the correct locations.

    Republishing certs did not resolve.

    I'd love to send you screenshots but don't feel comfortable posting them in the open.


    I do this cause it pays the bills...

    Tuesday, October 1, 2019 2:08 PM
  • Hi,
    The standalone offline root CA should not be installed in the domain. As a matter of fact, it should not even be connected to a network at all.

    According to "ROOT is online", do we mean our root CA is in the domain and 
    connects to a network?


    1. My ROOT has a DeltaCRL+ and shouldn't have one.

    We can check if there is delta CRL file under
    C:\Windows\System32\CertSrv\CertEnroll on ROOT CA server?

    2. My Issuing SUB has a CRL which points to the ROOT instead of itself even though the extensions clearly indicate the correct locations.

    On the sub CA, we can publish CRL and Delta CRL again to check if it helps. Right click Revoked Certificates->All Tasks->Publish -> select New CRL.



    Right click Revoked Certificates->All Tasks->Publish -> select Delta CRL only.





    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 2, 2019 8:34 AM
    Moderator
  • After jiggering around a bit, I got everything to turn green. Thank you for your help Lucy!

    • Edited by Bimpster Tuesday, October 8, 2019 4:12 PM
    Wednesday, October 2, 2019 2:26 PM
  • Hi,
    Thank you for your update and marking my reply as answer. I’m very glad that the problem has been solved.
     
    As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!

    Have a nice day!

     
    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 9, 2019 1:09 AM
    Moderator