Misconfigured CA Root Certificate with CDP only point to LDAP and internal Webserver


  • Hi,

    i know it is not a good idea to to have Certificate Distribution Points in the Root Certificate. A Customer but have these Points configured. Now in Future there are different Technologies like MS Direct Access or RDP and these Services check the CDP for CRL in the Certificate chain, but the Root Certificate CRL cannot be loaded because the Internal Server Names with internal LAN DNS Suffix is not propagated by the DNS Server in the Internet, so the Client cannot reached the CRL and Authentication fails -> Right?

    So, what can i do? I think the only possibility is to setup a new offline Root CA with Issuing CA within external reachable CDP Points-> Right?

    So, if i install a new PKI with Offline Root CA (without CPD ;-) and a new Issuing CA i want the "old" Certificates (about 1500 Pieces) working in future until i can change these and enroll new Certificates from the new CA.  I think about to do so by publish (from the old CA) a new CRL with a Lifetime similar the old CA Certificate into LDAP and delete only the old CA from the pKIEnrollmentService Container so Clients have no option to reach the old CA. ->Right?

    So, i think if i deinstall Enterprise CA (and the Root CA), let the Content of the NTAuthCertificates, the Certification Authorities, the CDP and AIA Container of the old CA in LDAP all of the old Certificates works also with Chain and CRL checking-> Right?

    Than i can setup a new PKI (offline Root and online Issuing) and can change all the old Certificates to new ones with the new PKI. -> Right?

    After that, than all the old Certificates are changed, i can delete all the old Content of the LDAP Containers and have a pretty good PKI with right configured CDPs (not in the Root CA Certificate but in the Issuing and Client Certificates ) and CRLs available in LDAP but also in a Webserver hostet by ISP with Internet DNS Name. -> Right?

    So i hope for many positive replys ;-)


    Tuesday, February 22, 2011 10:17 PM

All replies

  • Yes, what you want to do is possible. You should review the following blog article that explains how to do it:

    Saturday, April 14, 2012 4:17 AM
  • you are right - extend the CRL lifetime, remove pKIEnrollmentService and install a new hierarchy. You can uninstall the current hierarchy after all of its issued certificates expire - keep in mind that you should keep at least its backup - you may need to recover backed up keys or some of its certificates in the future, the original RootCA and IssuingCA's certificate should also remain trusted on the client computers (although expired), because you may need to check signatures or decrypt encrypted data later.

    one thing to consider - if you plan to use all your leaf certificate only on domain member computers, then consider only single CA hierarchy, without the offline RootCA - just a single Root/Issuing Enterprise CA. The hierarchy makes things only more complicated for pure domain environment. With the direct management through GPO, you have much faster CA revocation than having offline RootCA.


    Monday, April 16, 2012 7:12 AM