PKI - IssuingCA update (Operative System) and CRL info

Question

Hi everyone,

1)Regarding the PKI issue, I need to upgrade some IssuingCA servers from Windows Server 2012 R2 Datacenter to Windows Server 2019 Datacenter, in the production environment. First of all I need to know if it's an activity with known problems or is it possible to proceed with the update but with the necessary precautions?

2)In my lab in Azure I backed up the IssuingCA and shut down the Issuing Server services. I updated the Operating System to the Windows Server 2019 Datacenter version, everything went fine but trying to start the CA services I received an error related to the Revoked which seemed to be related to the CRL, after the weekend I restarted the servers in my laboratory in Azure and I left them turned on for a few hours, I wanted to recover the error to troubleshoot it but the CRL was updated and the services started correctly. Now, Issuing server enroll certificates correctly to clients. Is it normal to have to wait a few hours before the CRL is updated and all the Issuing services start working again?

Is it correct the procedure I followed?

Thanks in advance,

Alessio.

Answer 1

Yes you did the right thing by doing it in the Dev Environment, you will need to backup and stop all the CA services prior to the upgrade process. Point 1 is covered in this article - https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674

Not sure why it started after few hours bit strange on Point 2 however without checking the logs and event viewer logs it will be difficult to analyse the issue. After upgrade also reissue the CRL to the CA and the clients so all are sync.

---

Please don't forget to upvote and Accept as answer if the reply is helpful

Answer 2

Hi @JimmySalian-2011,
thanks for your reply, where I could find CRL log details in EventViewer?