question

tectec-9622 avatar image
0 Votes"
tectec-9622 asked tectec-9622 answered

How to check on CRL of old CA keypair after renewal with new keypair

Hi All,

I renewed our Issuing CAs certificates with new keys.

That work kinda fine and I think it should be alright. I still need to fix OCSP but that should be alright.

However, I am kinda confused by the way pkiview shows the current health of the CA.

I still have plenty of certificates signed with the old keypair and will continue to have for some time. Consequently, I'd like to check on CRL publishing status for the old keypair.

However, pkiview only shows the CRL/AIA/CRL+ for the new keypair.

81189-grafik.png




Is there a way to make pkiview show also the CRL status etc for the old keypair (would be handy, as some of the certificates will be valid for another 18month)

Cheers,
R

windows-server-security
grafik.png (24.0 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
 
Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.

Best Regards,

0 Votes 0 ·
FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,

We can't make pkiview show both the CRL status.

Before the old CA certificates expires , just don't delete the old ones.
The CRL of old CA keypair after renewal with new keypair, still existed in the CertEnroll folder on both the CA and the web server, as following:
81288-3251.jpg
81249-3252.jpg

For how the crl (old and new ) checked by the clients when Renewal with new key pair, you can refer to the following link:
https://social.technet.microsoft.com/wiki/contents/articles/2016.root-ca-certificate-renewal.aspx
https://www.experts-exchange.com/articles/32336/CA-Validity-Period-Extension-and-CA-Certificate-Renewal-Process.html

This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.
Best Regards,



3251.jpg (149.6 KiB)
3252.jpg (84.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

tectec-9622 avatar image
0 Votes"
tectec-9622 answered

Hey,

sorry for the late reply and thank you for your answer.

I would have liked to have an overall view in pkiview or sth. My CA will continue to publish CRLs for almost 2 year and this reduces the utility of pkiview greatly in my opinion. So far, I checked pkiview and knew on first glance if everything was in order. Now, I have to check the publishing points manually, if I understand correctly.

I just tested and if I delete the current CRL and CRL(+), which were created with the old keypair, pkiview claims that everything is fine. However, the old certificates will be regarded as invalid, cause the CRL is missing.


Kind regards,
R


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.