This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
I would like some info on a very specific CA behaviour that I won't find any information on web.
We have this PKI, with a RootCA that would be turned off followed by two subordinates.
Currently everything seems to working fine, as long as I keep my RootCA online. CDP Location keeps expiring, but in the day of expiration it will renew to the next 3 days, and keep doing so. If I turn off the RootCA, I will need to turn it on again to renew.
On the top of root CA on the Enterprise PKI management tool, I noticed that the both CDP Locations (#1, #2) are set to expire in July this year, and locations are not the same as in the subordinates, so probably some sort of misconfiguration on pointing the CDP?
As show in Root CA:
As show in SubCAs:
No issues on CA Certificate and AIA Location.
Did everyone ever face this specific issue on CA?
Thanks in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hello,
Thank you for posting here!
Here are the asnwers for our questions:
Q1: CDP Location keeps expiring, but in the day of expiration it will renew to the next 3 days, and keep doing so. If I turn off the RootCA, I will need to turn it on again to renew.
A1: Do we mean the CDP Location #1 on Enterprise CA1?
If so, we can check if the CRL publications interval is three days. If so, we can change it.
And we can check Effective date and Next update about the CRL file.
Usually, the CDP Locations will update automatically. But if it is expired, we should republish it manually.
Q2: On the top of root CA on the Enterprise PKI management tool, I noticed that the both CDP Locations (#1, #2) are set to expire in July this year, and locations are not the same as in the subordinates, so probably some sort of misconfiguration on pointing the CDP?
A2: If there is no error in PKIview.msc, I mean the status is OK, then the PKI is healthy.
In my lab, CDPs about root CA and sub CA are not the same. It is normal.
