PKI - IssuingCA update (Operative System) and CRL info

49885604 145 Reputation points
2023-05-16T15:24:15.7033333+00:00

Hi everyone,

1)Regarding the PKI issue, I need to upgrade some IssuingCA servers from Windows Server 2012 R2 Datacenter to Windows Server 2019 Datacenter, in the production environment. First of all I need to know if it's an activity with known problems or is it possible to proceed with the update but with the necessary precautions?

2)In my lab in Azure I backed up the IssuingCA and shut down the Issuing Server services. I updated the Operating System to the Windows Server 2019 Datacenter version, everything went fine but trying to start the CA services I received an error related to the Revoked which seemed to be related to the CRL, after the weekend I restarted the servers in my laboratory in Azure and I left them turned on for a few hours, I wanted to recover the error to troubleshoot it but the CRL was updated and the services started correctly. Now, Issuing server enroll certificates correctly to clients. Is it normal to have to wait a few hours before the CRL is updated and all the Issuing services start working again?

Is it correct the procedure I followed?

Thanks in advance,

Alessio.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,444 questions
Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,526 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,088 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,824 questions
0 comments No comments
{count} votes

Accepted answer
  1. JimmySalian-2011 41,916 Reputation points
    2023-05-16T15:28:42.44+00:00

    Yes you did the right thing by doing it in the Dev Environment, you will need to backup and stop all the CA services prior to the upgrade process. Point 1 is covered in this article - https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674

    Not sure why it started after few hours bit strange on Point 2 however without checking the logs and event viewer logs it will be difficult to analyse the issue. After upgrade also reissue the CRL to the CA and the clients so all are sync.


    Please don't forget to upvote and Accept as answer if the reply is helpful

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. 49885604 145 Reputation points
    2023-05-17T11:27:37.3633333+00:00

    Hi @JimmySalian-2011,
    thanks for your reply, where I could find CRL log details in EventViewer?

    0 comments No comments