none
subordinate cert renewal - CRL file

    Question

  • Hello everyone,

    When renewing the certificate "with same key" on our CA,  any old cert that was generated to clients CRL distribution point is pointing to the old crl file, meaning they reflect the old revocation list,  but any newly issued certificates are pointing to an up to date (1).crl file,  how do clients that still have their old crl in the file CRL distribution point know what certs were revoked if they still have old CRL distribution point file .crl? and how to ensure certs issued prior to the CA renewal have an up to date revocation list?

    Thanks



    • Edited by brascon Friday, April 19, 2019 11:48 PM
    Friday, April 19, 2019 4:13 PM

Answers

  • If you generated a certificate with the same key, then the CRL file name would remain the same. Because your previous CRL was CAName.crl and there now exists a CAName(1).crl.  Clients know which CRL file to verify against based on the certificate used to sign their issued certificate.

    If the original CA certificate was used to sign, the CDP extension references the CAName.crl file.

    If the renewed CA certificate was used to sign, the CDP extension references the CAName(1).crl file

    Bottom line, you must have renewed with a new key pair (which is a good thing, because it is not recommended to renew with the same key pair).

    Brian

    • Proposed as answer by Brian Komar [MVP] Saturday, April 20, 2019 1:41 PM
    • Marked as answer by brascon Saturday, April 20, 2019 3:18 PM
    Saturday, April 20, 2019 1:03 AM
  • There are two CRLs in play now, and that is as designed.

    If a certificate signed by the original CA certificate is revoked, the serial number is added to caname.crl

    Likewise, 

    If a certificate signed by the renewed CA certificate is revoked, the serial number is added to caname(1).crl

    You cannot force a client to look at the incorrect version. Simply look at the client certificate's CDP extension to see which CRL it is look at.  YOu can also run certutil -verify -urlfetch Clientcert.cer and see the revocation checking output.

    Brian

    • Proposed as answer by Brian Komar [MVP] Saturday, April 20, 2019 1:41 PM
    • Marked as answer by brascon Saturday, April 20, 2019 3:18 PM
    Saturday, April 20, 2019 1:41 PM

All replies

  • If you generated a certificate with the same key, then the CRL file name would remain the same. Because your previous CRL was CAName.crl and there now exists a CAName(1).crl.  Clients know which CRL file to verify against based on the certificate used to sign their issued certificate.

    If the original CA certificate was used to sign, the CDP extension references the CAName.crl file.

    If the renewed CA certificate was used to sign, the CDP extension references the CAName(1).crl file

    Bottom line, you must have renewed with a new key pair (which is a good thing, because it is not recommended to renew with the same key pair).

    Brian

    • Proposed as answer by Brian Komar [MVP] Saturday, April 20, 2019 1:41 PM
    • Marked as answer by brascon Saturday, April 20, 2019 3:18 PM
    Saturday, April 20, 2019 1:03 AM
  • Thanks Brian i guess we will have to wait for the old clients certs to be renewed,  will it cause a problem,  is there a way to force to look for new CAName(1).crl ? also how do we check what was the signed CRL from the client with certutil?

    Thanks

    Saturday, April 20, 2019 12:21 PM
  • There are two CRLs in play now, and that is as designed.

    If a certificate signed by the original CA certificate is revoked, the serial number is added to caname.crl

    Likewise, 

    If a certificate signed by the renewed CA certificate is revoked, the serial number is added to caname(1).crl

    You cannot force a client to look at the incorrect version. Simply look at the client certificate's CDP extension to see which CRL it is look at.  YOu can also run certutil -verify -urlfetch Clientcert.cer and see the revocation checking output.

    Brian

    • Proposed as answer by Brian Komar [MVP] Saturday, April 20, 2019 1:41 PM
    • Marked as answer by brascon Saturday, April 20, 2019 3:18 PM
    Saturday, April 20, 2019 1:41 PM
  • Excellent Brian for the info.
    Saturday, April 20, 2019 3:19 PM
  • Indeed it is,  i did tested and as you explained it was signed by the old ca cert,  when do we renew with same key pair versus new keys,  also we have CRL and ocsp implemented,  is that OK?  does the client choose which method to use?

    Thanks

    Saturday, April 20, 2019 5:27 PM