question

SamNa-6041 avatar image
0 Votes"
SamNa-6041 asked SamNa-6041 answered

Two tier PKI, 2nd Issuing Enterprise CA, CDP/AIA location not updating as expected.

We have a two-tier PKI in place and tried to add a second enterprise issuing CA in a remote site to provide better availability and redundancy with the below details.

Two Issuing Enterprise Certificate Authority were deployed.

Server#1(site A)

On top of the CA role, added the IIS role and Web enrolment to the first server and used an alias called cdp.domain.com which points to this first server, and added http://cdp.domain.com as CDP/AIA. All good here(pkiview.msc== all green).

Server#2 (Site B)

Added the 2nd server with only CA role, and pointed CRL/AIA to the cdp.domain.com. noticed that the revocation list still gets updated in the default location but not in http://cdp.domain,com which is at the first server's default location.( C:\Windows\system32\certsrv\certenroll\ )

and pkiview.msc shows can not download error because neither crl not crt exist on the cdp.domain.com virtual directory. how do we send updates to the first server so the CDP for both servers becomes one location and crls can all be found in the same virtual directory?

windows-serverwindows-active-directorywindows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SamNa-6041 avatar image
0 Votes"
SamNa-6041 answered

@lukus290

I found your answer to a relative question here:

https://social.technet.microsoft.com/Forums/en-US/e568a95c-6999-4d62-9401-9727a8dd5c35/crl-in-two-issuing-ca-environment?forum=winserversecurity

Not sure if your solution would work for my case here.

"Create 1 CDP path for Websever 1" in my case would be https://cdp1.domain.com or file://cdp1/certenroll?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.