Which are the steps to configured to new CA to publish CRLs to the old.

Question

Which are the steps to configured to new CA to publish CRLs to the old.

ManuelVallejo 36

Hi to all
How can I configured the new CA to to publish CRLs to the old (pre-migration) path as well as the new paths?
Ref: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc742388(v=ws.10)?redirectedfrom=MSDN

"By default, Active Directory Certificate Services (AD CS) is configured with certificate revocation list (CRL) distribution point extensions that include the CA computer host name in the path. This means any certificates issued by the CA before migration may contain certificate validation paths that contain the old host name. These paths may no longer be valid after the migration. To avoid revocation checking errors, the new CA must be configured to publish CRLs to the old (pre-migration) path as well as the new paths. "

Vadims Podāns 9,186 Reputation points MVP

2020-08-07T19:02:54.663+00:00

it depends on you CDP/AIA configuration before migration and setup after migration. Can you provide more details?
Anonymous

2020-08-13T02:00:17.557+00:00

Hello anonymous user,

Have you tried the steps I provided above?

Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.

Thank you for your time and effors.

Best Regards,
Daisy Zhou
ManuelVallejo 36 Reputation points

2020-08-14T02:36:21.47+00:00

Sure, I have and old CA located in a windows computer (domain member). I would like to migrate it to a new windows computer with upper O.S.

In this environment there are so many Microsoft Apps and windows clients. Moreover, there is so many third party apps that I considered in some point I would have to change manually certificates depending on my migration strategy.
ManuelVallejo 36 Reputation points

2020-08-14T02:36:52.017+00:00

By example, in the URL I found. One part of the text says: "

This means any certificates issued by the CA before migration may contain certificate validation paths that contain the old host name. These paths may no longer be valid after the migration. To avoid revocation checking errors, the new CA must be configured to publish CRLs to the old (pre-migration) path as well as the new paths."

So my question is more about "certificate validation paths".

I believe it would be and old validation path (from former CA server) and a new validation path (from new CA server).

for that reason, how can I handle this part to make sure the windows clients continues working with no problem. In what exactly point I have to chage valdiation path and how do I have to change it?
Anonymous

2020-08-19T02:04:05.953+00:00

Hello anonymous user,

I'm just following up to make sure you received my last reply and that my answers properly address your questions. If you have any further questions or concerns about this question, please let me know.

Have a nice day!

Best Regards,
Daisy Zhou
Anonymous

2020-08-21T01:47:19.593+00:00

Hello anonymous user,

How are things going on your end? Please keep me posted on this issue.

If you have any further questions or concerns about this question, please let us know.

I appreciate your time and efforts.

Best Regards,
Daisy Zhou

5 answers

Your answer

Vadims Podāns 9,186 Reputation points MVP

2020-08-07T19:02:54.663+00:00

it depends on you CDP/AIA configuration before migration and setup after migration. Can you provide more details?
Anonymous

2020-08-13T02:00:17.557+00:00

Hello anonymous user,

Have you tried the steps I provided above?

Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.

Thank you for your time and effors.

Best Regards,
Daisy Zhou
ManuelVallejo 36 Reputation points

2020-08-14T02:36:21.47+00:00

Sure, I have and old CA located in a windows computer (domain member). I would like to migrate it to a new windows computer with upper O.S.

In this environment there are so many Microsoft Apps and windows clients. Moreover, there is so many third party apps that I considered in some point I would have to change manually certificates depending on my migration strategy.
ManuelVallejo 36 Reputation points

2020-08-14T02:36:52.017+00:00

By example, in the URL I found. One part of the text says: "

This means any certificates issued by the CA before migration may contain certificate validation paths that contain the old host name. These paths may no longer be valid after the migration. To avoid revocation checking errors, the new CA must be configured to publish CRLs to the old (pre-migration) path as well as the new paths."

So my question is more about "certificate validation paths".

I believe it would be and old validation path (from former CA server) and a new validation path (from new CA server).

for that reason, how can I handle this part to make sure the windows clients continues working with no problem. In what exactly point I have to chage valdiation path and how do I have to change it?
Anonymous

2020-08-19T02:04:05.953+00:00

Hello anonymous user,

I'm just following up to make sure you received my last reply and that my answers properly address your questions. If you have any further questions or concerns about this question, please let me know.

Have a nice day!

Best Regards,
Daisy Zhou
Anonymous

2020-08-21T01:47:19.593+00:00

Hello anonymous user,

How are things going on your end? Please keep me posted on this issue.

If you have any further questions or concerns about this question, please let us know.

I appreciate your time and efforts.

Best Regards,
Daisy Zhou

Answer 1

Hello ManuelVallejo-8019,

Thank you for posting here.

Based on the test in my lab, we can set up as below:

Step1

I set up one-tier CA on my lab based on the link below.

ADCS Step by Step Guide: Single Tier PKI Hierarchy Deployment
https://social.technet.microsoft.com/wiki/contents/articles/11750.adcs-step-by-step-guide-single-tier-pki-hierarchy-deployment.aspx

Step2

I configured the AIA and CDP entries in the extension on the old CA server.

AIA entries
C:\Windows\system32\CertSrv\CertEnroll\<ServerDNSName><CaName><CertificateName>.crt
ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>
http://pki.fabrikam.com/**CertEnroll-CA1**/\<ServerDNSName><CaName><CertificateName>.crt

CDP entries （2019server is my IIS server）
C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
http://pki.fabrikam.com/CertEnroll-CA1/\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
file://\2019server.fabrikam.com**CertEnroll-CA1**\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

Step3

I migrate the CA from CA1 (host name) to CA2 (host name) based on the link below.

Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2008 R2 to 2019
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-migrating-the-active-directory-certificate-service/ba-p/697674

Step4

By default, all the AIA and CDP entries under Extensions tab of the CA Properties on the old CA will be migrated from old CA server to new CA server.

Step5

I add another http CDP based the steps below.

1.Ctreate an folder named certenroll1 (or another name，in my case it is CertEnroll-CA2( C:\CertEnroll-CA2) on the same IIS server as when I set up CA (or you can on another new IIS server).

2.Assume I will add http type CRL.

Add another CDP on Extensions tab of new CA server (CA2).
http://pki.fabrikam.com/CertEnroll-CA2/\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
file://\2019server.fabrikam.com\CertEnroll-CA2\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

3.Republish the CRL to see the CRL on IIS server (such as CertEnroll-CA2).

4.Open PKIview.msc to check new CA CDP.

Hope the information is helpful, if anything is unclear, please feel free to let us know.

Best Regards,
Daisy Zhou

Aman Kumar 0 Reputation points

2023-09-14T19:58:01.0666667+00:00

What about ldap crl? The ldap crl will be able to be published old location to validate the existing certificate

Answer 2

ManuelVallejo 36

Hi Daisy Zhou

I will check your answer right now

Answer 3

ManuelVallejo 36

Hi Daisy Zhou,

Blockquote

Step2
I configured the AIA and CDP entries in the extension on the old CA server.

Blockquote

Could you give me more details about why you configured old CA server? I think AIA and CDP were configured when someone deploy old CA.

So there is no need to configured AIA and CDP again, dont you?

Anonymous

2020-08-17T02:54:28.273+00:00

Hello anonymous user,

Yes, you do not need to configure AIA and CDP in your case (Because you have existing CA structure).

To better understand CA migration, in my reply, that is deploy CA->migrate CA and add new CDP entries after CA migration.

Best Regards,
Daisy Zhou

Answer 4

ManuelVallejo 36

I meant, AIA and CDP comes configured y default in the old CA, At least you prepare and additional server with following roles:
Web Server, HTTP host for CDP and AIA like the example where PKI is and alias from the srv1 server

Anonymous

2020-08-17T03:11:46.53+00:00

Hello anonymous user,

In my reply (as an example), the new http CDP is in the same IIS server as the old http CDP.

But you can add a new srv server with upper OS into the existing domain and add Web server role, then perform the similar steps based on point 1 and point 2 under step 5.

Best Regards,
Daisy Zhou

Answer 5

ManuelVallejo 36

How do you list the certificate templates for an enterprise CA?

Anonymous

2020-08-17T03:52:41.817+00:00

Hello anonymous user,

We can use the command below:

certutil -template | Select-String -Pattern TemplatePropCommonName

Best Regards,
Daisy Zhou

Share via

Which are the steps to configured to new CA to publish CRLs to the old.

5 answers

Your answer