Hello there, If you have configured both, LDAP and HTTP, then you clear checkboxes from LDAP URL which instruct CA to include the URL in certificates and CRLs. This way CA will continue to publish CRLs there so existing certificates (that include LDAP URL) can download CRL from LDAP until they get replaced. No new certificate will contain LDAP, they will contain only HTTP. Use the following certutil.exe command line to publish a CA's CRL into Active Directory: certutil -dspublish -f CAName. crl, where CAName is the logical name of the root CA. Hope this resolves your Query !! --If the reply is helpful, please Upvote and Accept it as an answer--
Offline Root CA CRL CDP
I inherited a CA environment. While reverse engineering I noticed some configurations in Offline Root CA CRL and AIA extensions that I have questions about.
We have 5 different Forests/Domains Each has its own Intermediate CA and Online Responder. Each Intermediate CA gets its SubCA cert from the Root CA.
The CRL CDP was set as follows.
- C:\Windows\system32\certsrv\certenroll<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
- ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
- http:// pki.DomainC.com/CertEnroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
And the AIA was set as follows.
- C:\Windows\system32\CertSrv\CertEnroll<ServerDNSName><CAName><CertificateName>.crt
- ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>
- http:// pki.DomainC,com/CertEnroll/<ServerDNSName><CAName><CertificateName>.crt
DomainC is going to be retired soon and pki.DomainC.com is not accessible to all 5 domains. So, I need to update the CRL CDP and the AIA. My plan was to configure the Root CA Extensions as follows. CRL CDP
- C:\Windows\system32\certsrv\certenroll<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
- ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
- http:// pki.DomainA.com/CertEnroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
- http:// pki.DomainB.com/CertEnroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
- http:// pki.DomainC.com/CertEnroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
- http:// pki.DomainD.com/CertEnroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
- http:// pki.DomainE.com/CertEnroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
AIA
- C:\Windows\system32\CertSrv\CertEnroll<ServerDNSName><CAName><CertificateName>.crt
- ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>
- http:// pki.DomainA.com/CertEnroll/<ServerDNSName><CAName><CertificateName>.crt
- http:// pki.DomainB.com /CertEnroll/<ServerDNSName><CAName><CertificateName>.crt
- http:// pki.DomainC.com /CertEnroll/<ServerDNSName><CAName><CertificateName>.crt
- http:// pki.DomainD.com /CertEnroll/<ServerDNSName><CAName><CertificateName>.crt
- http:// pki.DomainE.com /CertEnroll/<ServerDNSName><CAName><CertificateName>.crt
I also noticed that the CRL for every SubCA cert is pointing to only DomainC I expected that with the HTTP but not LDAP. My first assumption since the SubCA certs are a few years old is that someone changed the CRL CDP and AIA after those certs where issued. However, DomainE is a new domain with a new Intermediate CA server. The CRL CDP and AIA for the new SubCA cert is still using DomainC for its CRL CDP.
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=ldap:///CN=RootCA,CN=SA-CA,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=DomainC,DC=COM?certificateRevocationList?base?objectClass=cRLDistributionPoint (ldap:///CN=RootCA,CN=SA-CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DomainC,DC=COM?certificateRevocationList?base?objectClass=cRLDistributionPoint)
URL=http:// pki.DomainC.com/CertEnroll/ RootCA.crl (http:// pki.DomainC/CertEnroll/RootCA.crl)
- Why is it that each SubCA’s cert CRL is pointing the ldap CRL to DomainC when the Root CA Extension CRL CDP is set generic (ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>)?
- How do I configure the Root CA CRL CDP so that each domain can publish the CRL in AD?
- Should I even have an LDAP CRL CDP configured in the Offline Root CA’s Extensions? (I personally like to have at least 2 locations to publish the CRL)
- If I add CRL CDP and AIA to the Root CA extensions, will it be added to the cert if I renew the SubCA cert?
- I’m pretty sure I know the answer to this but…. If I renew the cert and DO NOT generate a new Public/Private pair the certificate chain stays intact, and I don’t need to reissue all certs issued by the Intermediate CAs?