Hi Guys, I have recently migrated our Enterprise CA from Windows 2000 to Windows 2008 R2 DC. I have followed the ADCS Upgrade and Migration guide and completed all of the steps successfully. However, i am confused about one particular setting. I right click the CA CertName and click Properties. Then, on the General Tab i click View Certificate. I then click on the Details Tab and when i scroll down to the CRLDistributionPoints, there are no locations that point to the new server. Is this normal? Currently there are only locations to the old CA server. I have modified the CRLDistributionPoints in the Extensions Tab to point to the old server for existing certificates. These settings are from the original imported Certificate from the old CA. Any help is appreciated Kind Regards,

Is this a Root CA as well or do you already have another Root CA? In Windows 2000 a Root CA included unnecessarily CDP and AIA attributes. If this is a sub CA the AIA and CDP attributes are decided by the parent CA. In both cases the certificate can not be changed unless it is reissued with new attributes. You can add a CDP URL that uses the new server name or dynamically (recommended) build the URL based on the server name but remember that this URL will only appear on newly issued certificates. /Hasain

Hi Hasain, Thank you for your reply. To answer your questions, Yes, this is the Root CA as the previous one has been taken offline. The original certificate and database have been migrated to the new server. All new certificate requests will need to contain the new CA servers details and i am sure that this will happen as it is the only server now responsible for certificate requests. I have added a CDP point for the old CA so that when expiration or revocation of existing certificates occurs, they will be able to do so from the new server. Is this correct? Should i be worried that the existing CA (which doesnt expire until 2015) only has the details of the old CA server? Will i need to reissue the main certificate so that it includes the new server? How can i complete this as i tried this in a test environment (using servers with the same settings) and found that it still only contained details of the old CA. Your help is greatly appreciated. Kind Regards, Angelo

The CDP and AIA information in the CA certificate itself can be ignored, CDP and AIA in the Root CA certificate is something Windows 2000 did and it does not have any technical effect on the system. To be sure that all old certificates can be CRL checked you need to configure the old CDP URLs for publication only. That means the CA can use a new set of CDP URLs to include in newly issued certificates and keeps publishing the CRLs to the new and old locations equally without including the old CDP locations in new certificates. Once all old certificates has been expired or replaced you can remove the old CRL distribution points! /Hasain

Thank you Hasain. You are a gentleman.