Purpose and impact of CA Exchange certificate in a PKI environment

Hobbit 32 41 Reputation points
2020-11-05T06:40:53.377+00:00

Good morning everyone,

I set up an OCSP in a 2-tiers PKI infrastructure :

The OCSP is in error in pkiview.msc. To get it "green" in pkiview.msc, I had to delete and recreate the CA Exchange certificate (certutil -cainfo xchg).

  • Is it normal ? (I mean, the usual way to do).
  • Should I watch any side effect on the PKI when I delete and recreate this CA Exchange certificate ?
  • What is the purpose of this CA Exchange certificate ? I understand it is to manage the archival of the certificate private key from the workstation to the KRA. I don't understand why it is involved with the OCSP.

Thank you for your time

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,806 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vadims Podāns 9,121 Reputation points MVP
    2020-11-05T07:06:32.56+00:00

    Is it normal ? (I mean, the usual way to do).

    sometimes it is. PKIView.msc relies on CA Exchange certificate information to retrieve CDP/AIA URLs for leaf CAs and then to build the hierarchy in the console. If you made changes, you have to revoke CA Exchange certificate, so next time you run pkiview.msc a new CA Exchange certificate will be generated with updated URLs.

    Should I watch any side effect on the PKI when I delete and recreate this CA Exchange certificate ?

    no. CA Exchange certificate is automatically controlled by CA. It is primarily used for key archival.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Hobbit 32 41 Reputation points
    2020-11-05T11:02:05.29+00:00

    Thank you again for your answer :)

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.