This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 93%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDG%3C/text%3E%3C/svg%3E)
Hi All,
I renewed our Issuing CAs certificates with new keys.
That work kinda fine and I think it should be alright. I still need to fix OCSP but that should be alright.
However, I am kinda confused by the way pkiview shows the current health of the CA.
I still have plenty of certificates signed with the old keypair and will continue to have for some time. Consequently, I'd like to check on CRL publishing status for the old keypair.
However, pkiview only shows the CRL/AIA/CRL+ for the new keypair.
Is there a way to make pkiview show also the CRL status etc for the old keypair (would be handy, as some of the certificates will be valid for another 18month)
Cheers,
R
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,
Hi,
We can't make pkiview show both the CRL status.
Before the old CA certificates expires , just don't delete the old ones.
The CRL of old CA keypair after renewal with new keypair, still existed in the CertEnroll folder on both the CA and the web server, as following:
For how the crl (old and new ) checked by the clients when Renewal with new key pair, you can refer to the following link:
https://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx
https://www.experts-exchange.com/articles/32336/CA-Validity-Period-Extension-and-CA-Certificate-Renewal-Process.html
This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.
Best Regards,
Hey,
sorry for the late reply and thank you for your answer.
I would have liked to have an overall view in pkiview or sth. My CA will continue to publish CRLs for almost 2 year and this reduces the utility of pkiview greatly in my opinion. So far, I checked pkiview and knew on first glance if everything was in order. Now, I have to check the publishing points manually, if I understand correctly.
I just tested and if I delete the current CRL and CRL(+), which were created with the old keypair, pkiview claims that everything is fine. However, the old certificates will be regarded as invalid, cause the CRL is missing.
Kind regards,
R