We have a network with multiple DC's across multiple sites but all under the same domain. I just found that at some point the servers must have been replaced but the Certificate Authority not properly moved. The EnterpriseRootCA certificate's CRL Distribution Point is still pointing to a decommissioned server. What is the best way to fix this? Thanks

Hello, the security forummis the better place to ask about this: http://social.technet.microsoft.com/Forums/en/winserversecurity/threadsBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

You can add, remove, or modify certificate revocation list distribution points (CDPs) in issued certificates. However, modifying the URL for a CDP only affects newly issued certificates. Previously issued certificates will continue to reference the original location. The following links should help: Specify certificate revocation list distribution points in issued certificates: http://technet.microsoft.com/en-us/library/cc773036%28WS.10%29.aspx Manually publish the certificate revocation list: http://technet.microsoft.com/en-us/library/cc778151%28WS.10%29.aspx Schedule the publication of the certificate revocation list: http://technet.microsoft.com/en-us/library/cc781735%28WS.10%29.aspx Hope it helps.MCTS - Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. http://mariusene.wordpress.com/

I apologize for putting this in the wrong forum, I was unsure where certificate questions should go. Marius, I will try the links you sent tonight and post back if it went. Thank you for your assistance.

I just looked at this and I'm not sure if that will help or not. Under extensions there are 4 options, but the http for instance says: http://<ServerDNSName>/CertEntroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl Which looks correct to me (although i could be wrong) in that its dynamic. (incidentally none of the checkboxes below are checked for the http option, i'm not sure if that is important). But if I go view the certificate details, under CRL Distribution Points is: URL=ldap:///CN=EnterpriseRootCA,CN=OLDSERVER,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=OurDomain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint URL=http://OldServer.OurDomain.com/CertEnroll/EnterpriseRootCA.crl Thanks

If the CA server name has been changed, the CA must normally retain the old server name in the CDP URLs because of the fact that the old server name is part of the CDP extension in already issued certificates. Changing to the new server name in the CDP URL will result in the old CRL not being available and the old certificates not possible to check for revocation. /Hasain

What would your recommendation be? The old server is gone and not coming back, should I leave it the way it is? Then when this certificate expires do I just create a new certificate under the new server? Thank you for your help.

I think its the only option for you situation right now. Redeploy new certificates with the new CRL distribution points. The old certificates, you won't be able to revoke them.MCTS - Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. http://mariusene.wordpress.com/

What would be the best procedure for creating an enterprise certificate in this instance? should i use IIS to request a new certificate and process it on the new server? How do I make the new certificate a CA certificate? Is there any way to remove the old certificate from the EnterpriseRootCA ? Thanks

You could change the CRL distribution points. Here are some useful articles: Changing the location of your CRL : http://support.microsoft.com/kb/232161 "You can modify the CRL distribution point by using the Certification Authority MMC snap-in. In this way, you can change the location where the CRL is published to meet the needs of users in your organization. You must move the CRL distribution point from the CA configuration folder to a Web server to change the location of the CRL, and you must move each new CRL to the new distribution point, or else the chain will break when the previous CRL expires. On root CAs, you must also modify the CRL distribution point in the CAPolicy.inf file so that the root CA certificate references the correct CDP and AIA paths, if specified. If you are using certificates on the Internet, you must have at least one HTTPs-accessible location for all certificates that are not limited to internal use." Selecting a CRL Distribution Point: http://technet.microsoft.com/en-us/library/cc782183(WS.10).aspx I think the Microsoft has several great articles with detailed steps about removing a CA: Uninstall a certification authority 2003: http://technet.microsoft.com/en-us/library/cc785971(WS.10).aspx Uninstall a certification authority 2008: http://technet.microsoft.com/en-us/library/cc771494(WS.10).aspx How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows Server 2000: http://support.microsoft.com/kb/889250 Also a more recent article about migrating the CA, check out the steps about backing up the CA: http://technet.microsoft.com/en-us/library/ee126140(WS.10).aspx I have also found a similar thread that you may find useful: http://social.technet.microsoft.com/Forums/en-GB/winserversecurity/thread/c1d9ac5a-3c81-45d9-8b70-36cac63a32b8 Hope it helps. MCTS - Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. http://mariusene.wordpress.com/

You could change the CRL distribution points. Here are some useful articles: Changing the location of your CRL : http://support.microsoft.com/kb/232161 "You can modify the CRL distribution point by using the Certification Authority MMC snap-in. In this way, you can change the location where the CRL is published to meet the needs of users in your organization. You must move the CRL distribution point from the CA configuration folder to a Web server to change the location of the CRL, and you must move each new CRL to the new distribution point, or else the chain will break when the previous CRL expires. On root CAs, you must also modify the CRL distribution point in the CAPolicy.inf file so that the root CA certificate references the correct CDP and AIA paths, if specified. If you are using certificates on the Internet, you must have at least one HTTPs-accessible location for all certificates that are not limited to internal use." Selecting a CRL Distribution Point: http://technet.microsoft.com/en-us/library/cc782183(WS.10).aspx I think the Microsoft has several great articles with detailed steps about removing a CA: Uninstall a certification authority 2003: http://technet.microsoft.com/en-us/library/cc785971(WS.10).aspx Uninstall a certification authority 2008: http://technet.microsoft.com/en-us/library/cc771494(WS.10).aspx How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows Server 2000: http://support.microsoft.com/kb/889250 Also a more recent article about migrating the CA, check out the steps about backing up the CA: http://technet.microsoft.com/en-us/library/ee126140(WS.10).aspx I have also found a similar thread that you may find useful: http://social.technet.microsoft.com/Forums/en-GB/winserversecurity/thread/c1d9ac5a-3c81-45d9-8b70-36cac63a32b8 Hope it helps. MCTS - Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. http://mariusene.wordpress.com/