locked
Which are the steps to configured to new CA to publish CRLs to the old. RRS feed

  • Question

  • Hi to all

    How can I  configured the new CA to to publish CRLs from the old (pre-migration) path that was used by the old CA and publish also the new paths?

    In short words, I would like to do the text bellow

    Ref: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)?redirectedfrom=MSDN

    "By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions that include the CA computer host name in the path. This means any certificates issued by the CA before migration may contain certificate validation paths that contain the old host name. These paths may no longer be valid after the migration. To avoid revocation checking errors, the new CA must be configured to publish CRLs to the old (pre-migration) path as well as the new paths. "


    Warm regards MeVs



    • Edited by MeVs Friday, August 14, 2020 1:13 AM
    Friday, August 7, 2020 3:36 AM

All replies

  • Hi to all Any comment will certainly be appreciated

    Warm regards MeVs

    • Marked as answer by MeVs Friday, August 7, 2020 3:14 PM
    • Unmarked as answer by MeVs Thursday, August 13, 2020 12:22 AM
    Friday, August 7, 2020 12:06 PM
  • Hi,


    Below are the steps on how to verify the CRL publication:

    1. Open a command prompt.
    2. At the command prompt, change to the local directory where the CRLs are published. By default, this is %windir%\system32\CertSrv\CertEnroll.
    3. Make sure that there is at least one file with the CRL extension that has a time stamp equal to the time when you published the CRL in the previous task.
    4. Open the CRL file for each CA certificate, and verify that the Next CRL Publish extension shows the current date plus the time configured as CRL publication interval on the Revoked Certificates Properties page (see the previous figure), or the expiration date of the CA certificate in the case of a decommission.
    5. Close the CRL file.
    6. Ensure that all CRL files have been copied to the CRL distribution points as required.

    In addition, a complete server backup should be performed before a migration to allow for a quick recovery of an existing CA if necessary. 
    I hope the above information is helpful to you.


    This MECM Forum will be migrating to a new home on Microsoft Q&A<Link>, please refer to this sticky post<Link> for more details.



    Best regards,
    Larry

    "MECM" forum will be migrating to a new home on Microsoft Q&A!
    We invite you to post new questions in the "MECM" forum's new home on Microsoft Q&A!
    For more information, please refer to the sticky post.


    Monday, August 10, 2020 7:47 AM
  • Deploy web server on any host, then configure common HTTP to publish CRL on this server for non-domain clients. For domain clients publishing CRL is already included in AD by default. 
    Monday, August 10, 2020 3:19 PM
  • But how can I do this part: "the new CA must be configured to publish CRLs to the old (pre-migration) path as well as the new paths. "" ?

     I mean, where do I have to enter both CRLs path  (old and new)?


    Warm regards MeVs

    Saturday, August 15, 2020 4:03 AM