Certificate Authority Migration - CDP Location #1 Unable to Download

Question

I am following the guide published here https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/move-certification-authority-to-another-server

To Migrate Certificate authority from an ancient server (2012R2) to a new VM (2022 datacenter).

I've backed up the DB/private key and the regkey has been exported successfully

The issue I am encountering is tied to the PKIVIEW.

-The new server will have a different hostname from the old server

-From PKIVIEW I can see my CA certificate is fine, my AIA Location#1 is fine, but my CDP Location#1 is reporting "Unable to Download".

In my Location info for AIA I have an LDAP entry stating something like:

ldap:///CN=Business-Business.Server-CA, CN AIA, CN=Public. . .objectClass=certificationAuthority

In my location info for CDP I have http://business-server/CertEnroll/Business-Business-Server-CA.crl

The url does not resolve

If I navigate to C:\Windows\System32\Certsrv\CertEnroll I can actually see the crl file there

I have two main questions-

1. What can I do to resolve the immediate problem of the CDP location being unavailable?
   1. I've tried manually republishing the revocation list but that does not appear to have done anything I can see.
2. On the new server (When I'm standing the new CA box up) will I need to reference this older server in the CDP and CRL configuration? How and where would I do that?

Bonus question that may demonstrate my ignorance:

• If this server is going to stop being used for CA and will eventually be decommissioned entirely, is there an option for me to just create this CRL on the new server? I'm trying to understand why I need to reference the old CRL and CDP info for a server that will have the role uninstalled.

I don't have a lot of experience working on this so I'm a bit confused, trying to take notes as I research.

Answer 1

Hi Justin Mattingly,

Thank you for contacting Q&A community!

Allow me to summarize the current background information. Please let me know if I’m misunderstanding anything!

After checking PKI view on RootCA:

• AIA Location#1 is OK
• CDP Location#1: Unable To Download
• When you tried to access to the URL: [http://business-server/CertEnroll/Business-Business-Server-CA.crl], failed to resolve

Possible cause: The CRL file exists locally, but IIS (for that URL/hostname is not reachable, so PKIView reports “Unable to Download”.

Technically, the url link is hosted by IIS, please help refer bellow instruction to set up IIS configuration:

• Open IIS Manager
• Navigate to the CertEnroll Site:
  • Under Sites, click Default Web Site
  • In the Features View, locate and click CertEnroll
• Directory Browsing: Enabled
• Anonymous Authentication: Enabled
• Windows Authentication: Disabled

Moreover, please help temporally turned off the HTTP redirect if your current configuration is forcing to HTTPS

Then, as you mentioned when you navigate to C:\Windows\System32\Certsrv\CertEnroll and it contains the crl files, please help check:

• On the RootCA server, make sure CDP location is pointing to the correct crl file. Update/add the HTTP CDP if needed
• Copy C:\Windows\System32\Certsrv\CertEnroll on the RootCA server and paste it into same folder path on Enterprise CA server

After that, restart the PKI service and check to see if the Status of CDP Location is Ok yet.

Feel free to reach out if you have further concern relate to above steps.

If you believe this information adds some value, please accept the answer so that your experience with the issue would help contribute to the whole community.

Best wishes!

Kate,