Current Position:Home > CDP location and CRL of Root CA is not available

CDP location and CRL of Root CA is not available

Update:11-30Source: network consolidation
Advertisement
HI,
We had one Root CA and its no more avilable due to storage format. RootCA has one subordinate CA server and that server is fine.
When veirfy CDP container via PKIVIEW.msc I can see that CRL of Subordinate CA is valid and Root CA is expired an year ago ( with this I assume its offline root standalone CA).
When I verify CRL of Subordinate CA server it something like below
URL=ldap:///CN=netca1(2),CN=netCA1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=contosso,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
URL=http://netra1/CertEnroll/netca1(2)DeltaCRLAllowed%3E.crl
When I validate URL path the CRL is expired.
Certificate of subordinate ca still shows valid.. How do I find valid CRL for crashed root CA?
(please excuse Typos)
Mahi

The Best Answer

Advertisement
No, that's not what I mean.
If the root CA server is gone and the root CA CRL is expired, then your PKI is lost.
One way is to add the Enterprise PKI mmc snap-in to an MMC and see what the dates are there. You should be able to see when it expires.
Another is to open the physical file, depending on how the PKI is implemented it may be available where you point your http CRL.
Hth, Anders Janson Enfo Zipper
  • CDP location and CRL of Root CA is not available Update:11-30

    HI, We had one Root CA and its no more avilable due to storage format. RootCA has one subordinate CA server and that server is fine. When veirfy CDP container via PKIVIEW.msc I can see that CRL of Subordinate CA is valid and Root CA is expired an yea

  • CA question about DeltaCRL and CDP Location Update:11-30

    When i look at my PKI Enterprise console, i see that my CDP Location and DeltaCRL Locations are going to expire shortly. I open an elevated cmd prompt of the SubCA and i did the following 2 commands: C:\Windows\System32\CertSrv\CertEnroll\ certutil -

  • Location of KM content root Update:11-30

    Hi, i am wondering where on the SAP backend the root is located for the KM content. In portal go to content administration then KM content . In the right hand frame a directory structure appears under root. I need to know where this root is located s

  • If I have two Root CA in the same Domain, Do I have to configure two seperate locations for the CRLs Update:10-11

    Hello All Can someone please help me with the following question :) I asked the question, can you have two Enterprise Root CA in the same AD domain. This question was kindly answered by Paul here  the answer was Yes. As far as I believe the two impor

  • CDP and DeltaCRL locations expiring on Issuing CA Update:11-30

    This has been a crash course in PKI and I am taking over for a previous sysadmin which has made it even more interesting. I'm hoping that you smart folks can help me to better understand my configuration so that I can correct an issue with expiring/e

  • Do my AIA CDP Script locations formatting look ok? Update:11-30

    In my CA policy for the root I do have the [CRLDistributionPoint] Empty=True [AuthorityInformationAccess] Empty=True For the post scripts I have the following. Trying to make sure I have this correct and am not missing something or too many or not en

  • Question about Kurts comments discussing the seperation of AIA & CDP - Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy - Kurt L Hudson MSFT Update:10-11

    Question about the sentence in bold. What is the meaning behind this comment? How would you separate the role of the AIA and CDP from a CA subordinate server? I can see where I add a CES and CEP server which has those as well, but I don't completely

  • Certutil -crl problems (the directory name is invalid) Update:10-11

    Another problem for you fine experts to consider...2 tier PKI, offline Root 2008 R2, 1 Sub Ent CA in Domain1 (2008 R2) and 1 Sub Ent CA in Domain2 (2012 R2). SubCA 1 and 2 are configured pretty much identically, however when setting up SubCA 2 I am h

  • Name of .crl and .crt file missing from HTTP URL in certificate details Update:10-11

    Hello Everyone, I am in the process of building a 2-tier Windows Server 2012 R2 PKI. The CA name of both the offline standalone root CA and enterprise subordinate CA have spaces in it (we'll call the CA name, 'Test Lab Root CA' for point of reference

  • CRL errors in RDP and others Update:10-11

    I've been trying for a couple of days now to troubleshoot revocation list errors in RDP and broken chain problems in VCenter server. I'm sure it's a misconfiguration on the enterprise subordinate CA, but I cannot find out where. I've read many other