Which are the steps to configured to new CA to publish CRLs to the old.

ManuelVallejo 36 Reputation points
2020-08-07T15:24:30.407+00:00

Hi to all
How can I configured the new CA to to publish CRLs to the old (pre-migration) path as well as the new paths?
Ref: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)?redirectedfrom=MSDN

"By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions that include the CA computer host name in the path. This means any certificates issued by the CA before migration may contain certificate validation paths that contain the old host name. These paths may no longer be valid after the migration. To avoid revocation checking errors, the new CA must be configured to publish CRLs to the old (pre-migration) path as well as the new paths. "

Windows for business | Windows Server | Devices and deployment | Configure application groups
{count} votes

5 answers

Sort by: Most helpful
  1. Anonymous
    2020-08-10T12:09:26.687+00:00

    Hello ManuelVallejo-8019,

    Thank you for posting here.

    Based on the test in my lab, we can set up as below:

    Step1

    I set up one-tier CA on my lab based on the link below.

    ADCS Step by Step Guide: Single Tier PKI Hierarchy Deployment
    https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx

    Step2

    I configured the AIA and CDP entries in the extension on the old CA server.

    AIA entries
    C:\Windows\system32\CertSrv\CertEnroll\<ServerDNSName><CaName><CertificateName>.crt
    ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>
    http://pki.fabrikam.com/**CertEnroll-CA1**/\<ServerDNSName>
    <CaName><CertificateName>.crt

    CDP entries (2019server is my IIS server)
    C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
    ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
    http://pki.fabrikam.com/CertEnroll-CA1/\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
    file://\2019server.fabrikam.com**CertEnroll-CA1**\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

    Step3

    I migrate the CA from CA1 (host name) to CA2 (host name) based on the link below.

    Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019
    https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674

    Step4

    By default, all the AIA and CDP entries under Extensions tab of the CA Properties on the old CA will be migrated from old CA server to new CA server.

    Step5

    I add another http CDP based the steps below.

    1.Ctreate an folder named certenroll1 (or another name,in my case it is CertEnroll-CA2( C:\CertEnroll-CA2) on the same IIS server as when I set up CA (or you can on another new IIS server).

    16746-cert1.png

    16717-cert2.png

    2.Assume I will add http type CRL.

    Add another CDP on Extensions tab of new CA server (CA2).
    http://pki.fabrikam.com/CertEnroll-CA2/\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
    file://\2019server.fabrikam.com\CertEnroll-CA2\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

    16921-cert7.png

    3.Republish the CRL to see the CRL on IIS server (such as CertEnroll-CA2).
    16831-cert5.png

    4.Open PKIview.msc to check new CA CDP.
    16780-cert8.png

    Hope the information is helpful, if anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou


  2. ManuelVallejo 36 Reputation points
    2020-08-14T02:51:12.357+00:00

    Hi Daisy Zhou

    I will check your answer right now

    0 comments No comments

  3. ManuelVallejo 36 Reputation points
    2020-08-14T03:58:16.397+00:00

    Hi Daisy Zhou,

    Blockquote

    Step2
    I configured the AIA and CDP entries in the extension on the old CA server.

    Blockquote

    Could you give me more details about why you configured old CA server? I think AIA and CDP were configured when someone deploy old CA.

    So there is no need to configured AIA and CDP again, dont you?


  4. ManuelVallejo 36 Reputation points
    2020-08-14T04:42:05.357+00:00

    I meant, AIA and CDP comes configured y default in the old CA, At least you prepare and additional server with following roles:
    Web Server, HTTP host for CDP and AIA like the example where PKI is and alias from the srv1 server


  5. ManuelVallejo 36 Reputation points
    2020-08-14T04:51:20.25+00:00

    How do you list the certificate templates for an enterprise CA?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.