Jump to content

Major Problem with PKI - CA

Guest Randy Smith

By Guest Randy Smith
in Techno Babble

 Share

Recommended Posts

Guest Randy Smith

Guest Randy Smith

Posted
Posted

Hello everyone,

 

Not sure why...or how...but my windows based PKI stopped working yesterday

afternoon. The issuing CA won't start...says the CRL can not be contacted.

I can browse to my CRL in IE...open it...and I noticed immediately that the

Next Update date and time has passed (was yesterday afternoon). I thought

this was updated regularly by the CA. How can I get my devices

authenticating quickly and ensure this does not happen again?

 

Thanks!

Randy

  • Replies 2
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Randy Smith

Guest Randy Smith

Posted
Posted

More info on this problem...

 

I'm running a two level PKI with an offline root CA and one online issuing

CA. The CRL distribution location for the issuing CA cert is different than

the CRL distribution location for all certs that are issued by this CA

(which happens to be the default location).

 

I'm trying to figure out how I get the CRL listed in the issuing CA

certificate corrected or at least updated so my PKI will work. I'm not sure

why the two are different.

 

Randy

 

"Randy Smith" <smittyrt@gmail.com> wrote in message

news:O0Y5vNMSJHA.3628@TK2MSFTNGP06.phx.gbl...<span style="color:blue">

> Hello everyone,

>

> Not sure why...or how...but my windows based PKI stopped working yesterday

> afternoon. The issuing CA won't start...says the CRL can not be

> contacted. I can browse to my CRL in IE...open it...and I noticed

> immediately that the Next Update date and time has passed (was yesterday

> afternoon). I thought this was updated regularly by the CA. How can I

> get my devices authenticating quickly and ensure this does not happen

> again?

>

> Thanks!

> Randy

> </span>

Guest Brian Komar

Guest Brian Komar

Posted
Posted

This is a basic design problem that should have been identified before

certificates were issued

1. Run PKIView.msc from the resource kit tools and verify what URLs are not

reachable

2. See the best practices whitepaper at www.microsoft.com/pki

Brian

 

"Randy Smith" <smittyrt@gmail.com> wrote in message

news:ekQ7OINSJHA.5860@TK2MSFTNGP02.phx.gbl...<span style="color:blue">

> More info on this problem...

>

> I'm running a two level PKI with an offline root CA and one online issuing

> CA. The CRL distribution location for the issuing CA cert is different

> than the CRL distribution location for all certs that are issued by this

> CA (which happens to be the default location).

>

> I'm trying to figure out how I get the CRL listed in the issuing CA

> certificate corrected or at least updated so my PKI will work. I'm not

> sure why the two are different.

>

> Randy

>

> "Randy Smith" <smittyrt@gmail.com> wrote in message

> news:O0Y5vNMSJHA.3628@TK2MSFTNGP06.phx.gbl...<span style="color:green">

>> Hello everyone,

>>

>> Not sure why...or how...but my windows based PKI stopped working

>> yesterday afternoon. The issuing CA won't start...says the CRL can not

>> be contacted. I can browse to my CRL in IE...open it...and I noticed

>> immediately that the Next Update date and time has passed (was yesterday

>> afternoon). I thought this was updated regularly by the CA. How can I

>> get my devices authenticating quickly and ensure this does not happen

>> again?

>>

>> Thanks!

>> Randy

>></span>

>

> </span>

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...