I've recently had to restore our DC that also hosts our IAS and CA services after migration went awry. So after restoring it I've been trying to wrap my head around the migration of IAS & CA from 2003 server to 2008 R2 server NPS and have been reading the following documentation: AD CS Migration Guide Deploy a CA and NPS Server Certificate NPS Migration Guide But what I'm trying to do is not replace them immediately but wanted to have both 2003 IAS/CA & 2008R2 NPS/CA up and running at the same time to make it an easier transition. And as I walk through the AD CS Migration Guide steps (Preparing To Migrate) it mentions that I should publish a CRL with an extended validity period. In preparation for this migration and after our recent server restoration I find that my CRL is set to expire in a week. I realize that is the default but got to wondering what would happen in a week if it wasn't extended.I began doing research to understand this entire process a little better and can't seem to find what I'm looking for. I believe my questions are every simple as don't have much experience with CA services but wondered the following: Why would I want to extend the validity period of my CRL? What happens after my CRL validity has expired? Why would I issue a CRL if I want to continue using my current CA? What exactly happens when I issue a CRL? Does it mark my CA invalid for the amount of time the CRL is valid? And after that is my CA invalid and I need to issue a new one? So if I don't get this migrated to my 2008R2 server by the time my CRL expires do I need to issue a new certificate on my old 2003 server and then need to issue a new cert once on my 2008R2 CA? absolutezero273c

A CRL issued by a CA is used to distribute revocation information about certificates issued by that CA. In other words, a CRL issued by a CA can not affect the CA certificate it self and is only needed to verify certificates issued by that CA. Many PKI enabled servers and services like IAS & NPS are configured to check the connecting clients certificate revocation status and therefor need to have a valid CRL available at any given time. Having that clarified, the main reason why the migration guide argue about extending the validity period of the CRL during the migration is to make sure that there is a valid CRL throughout the migration process. As described in the guide, the CA can not publish a CRL during the migration process simply because it is not online and you need to make sure that the rest of the enterprise continue to function normally. The bottom line is, the CA certificate is not affected during migration and definitively because of a CRL publish as no revoke operation is taking place! /Hasain

Thank you, Hasain, for the informative reply. That does help me to understand what is happening with the CA and CRL. Regarding migration from 2003 IAS/CA to 2008R2 NPS/CA is it detrimental to run them both simultaneously on the same domain and cut over later?absolutezero273c

Regarding IAS/NAP, there are no problems running both simultaneously in the same domain but I will not recommend have the "same" CA that way. It is on the other hand totally supported and accepted to have multiple different CAs in the same domain. /Hasain