Solving CDP/CRL issue

J. Random-Sysadm 41 Reputation points
2022-09-14T02:13:40.2+00:00

I have an issuing CA where the CA cert's LDAP CDP includes the system short-name macro. There is no HTTP CDP. I recently migrated the CA role to a new server. The current CDP now includes the new system name which is causing an issue with certificates issued prior to the migration in that the older certificates have a CDP with the old server name listed. Is there any way for the CRL to be pubilished to the old location automatically similar to how its automatically published to the new CDP?

I've published to the old location using certutil -dspublish -f CRLfile "old-system-name" which seems to have fixed the problem temporarily. However, wouldn't the issue show up again once the current CRL expires?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,807 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vadims Podāns 9,121 Reputation points MVP
    2022-09-14T07:24:31.287+00:00

    You have to duplicate (add next to existing) existing LDAP URL and replace <ServerShortName> variable with fixed constant that matches the old system name and checking only "Publish CRLs to this location" and "Publish Delta CRLs to this location". Then CA will automatically publish subsequent CRLs to previous locations.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.