Hi all, I recently moved our enterprise root CA from one server to another, following the guidelines on the KB (backup/restore of the DB, CA Reg Key & change the CAServer Reg entry). The CA itself seems to be perfectly ok, but I have a problem with anything that checks the CRL, they all seem to be looking to the old server to try to find the CRL. The new server is publishing the CRL to AD, but that doesn't seem to help. OS is Windows 2008 x64 Any input appreciated. Stu

The CRL infromation is usually hardcoded into the subordinate CA certificate (in your case the enterprise root CA certificate). So if you just moved the CA to another server (different servername) and used default behavior when installing the first root CA, it is probably tied to the old servername. Check this by looking at the Root CA certificate, on the Details pane and the CRL Distribution Point field. Here the expected publication location is noted. To fix this you can make an DNS entry to from the old server to the new one. Only other way is to renew the root certificate and edit CDP location and enter the new server or use a generic one and use DNS to point to the new server (this is the best solution in my opinion). Regards Morten

Hi, The following article could be helpful: Performing Post-Upgrade or Post-Migration Tasks http://technet.microsoft.com/en-us/library/cc742471(WS.10).aspx This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Joson, That solved my problem. Thanks Very Much. Morton, I like the sound of using a generic address to publish the CRL to, do you know of any info on how to achieve this? Thanks both. Stu

What I do is always use a generic URL name (ca.<domainnam>/CRL or ca.<domainname>/CRT) in the CDP/AIA section of the issuing CA. In DNS you only need to create an A record and enter the ca.<domainname>, and point it to the IP of the CA. This will also make upgrading the PKI at a later stage much simpler. Don't know if this is described any place, just something I picked up early on in my configurations. Morten