PKIVIEW CDP location not updating

asked 2020-09-23T19:15:20.187+00:00
KJ 81 Reputation points

27692-cdp.png
I am having a similar problem as this: https://social.msdn.microsoft.com/Forums/en-US/bc49c902-f8cf-4c9f-b239-09c7470ceb9b/enterprise-pkiview-not-updating-http-cdp-files?forum=winserversecurity

https://social.msdn.microsoft.com/Forums/en-US/7538720a-1a7a-4f68-a1d3-870e9f708957/stale-pkiview-cdp-location?forum=winserversecurity

CRL file for issuing CA shows as expired in PKIVIEW in one of the 2 CDP locations.
All CDP file locations show the current CRL file when we browse to the local folder locations on the server and paste the listed web URLs into a web browser.
We have already tried restarting the issuing CA and running the "certutil -cainfo xchg" to update pkiview cache, but nothing has helped.

What else is left to do to get pkiview to update the problem CDP location?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,297 questions
No comments
{count} votes

Accepted answer
  1. answered 2020-09-24T01:20:42.727+00:00
    Fan Fan 15,061 Reputation points

    Hi,
    To know the issue more clearly, would you please tell more about the CA environment?
    For ,is it a one tier pki or 2 tier pki?
    Is the root CA offline ?
    If the offline CA is offline , we need to issue the CDP location manually .Following steps for your reference:
    1,Manually generate the CRL from the Root CA ,and publish it.
    2,Importing the CRL on the subordinate CA
    3,Restarting the service
    For more details you can refer to the details as following screenshot and link:
    27694-9245.jpg
    https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx#Configure_the_CDP

    Best Regards,

    No comments

2 additional answers

Sort by: Most helpful
  1. answered 2020-09-24T01:34:58.867+00:00
    KJ 81 Reputation points

    It is a 2 tier PKI with an offline root.
    We have already generated a new CRL from the offline root.
    We have already copied the new CRL to the file locations on the subordinate CA specified in the CDP.
    We have already copied the CRL to the HTTP locations specified in the CDP.
    We have verified that the CRL HTTP location is accessible from a web browser and that the correct CRL file downloads.

    We are not using LDAP locations. Only file and HTTP.
    There are 2 HTTP locations.

    Despite this, pkiview still sees the old CRL file in one of the HTTP locations instead of the new CRL file that has been installed in all the. CDP locations.

    No comments

  2. answered 2020-09-24T20:33:48.063+00:00
    KJ 81 Reputation points

    The issue when away overnight with no further steps taken.