0

In the course of migrating our internal CA we first the old server up and running in order to allow clients to download the CRl from the URL hardcoded in already issued certificates. Meanwhile the old server has been removed completely and there is merely a little virtual webhost active with its name with the sole purpose of delivering the CRL to clients.

I hope that this construct will become unnecessary when all old certificates are replaced (in a year or so). However, it would be nice to speed this process, e.g., by issuing new certificates ahead of time where applicable. To thius end, I would like to find out: When I see (from the web logs) a client retrieve the CRL, I can conclude that the client wanted to verify the validity of some (old) certificate. But how can I find out (not at the CA, but at the client maybe) which certificate the client wanted to verify?

Hagen von Eitzen
  • 824
  • 3
  • 17
  • 43

1 Answers1

0

you can't know. You made a mistake by decommissioning old CA prior to properly plan migration process. What you had to do is to export the list of active certificates from decommissioned CA's database. If you don't have old CA backup, then you are out of luck. Wait until some service fails.

Edit: 24.07.2015

If your CA database is migrated and accessible, then you need to lookup for non-expired certificates issued prior to CDP URLs modification date.

Crypt32
  • 6,639
  • 1
  • 15
  • 33
  • The certificates were migrated to the new CA. In fact the new CA has in its database even ten year old expired certificates from the old CA, which are but certainly not in use anywhere any more. This doesn't change the fact that the issued certificates themselves contain a pointer to the URL where their CRL should be fetched from and that of course contains the obsolescent hostname. – Hagen von Eitzen Jul 23 '15 at 21:40
  • see my edited response. – Crypt32 Jul 24 '15 at 06:15
  • Thank you for the edited response, but that allows me to see which certs are potentially checked. I'd like to see which are actually checked. As in: Are the clients decrypting old mail? Or are they running an old piece of signed software? – Hagen von Eitzen Jul 24 '15 at 11:42