0

I'm facing an issue to renew SubCA certificate on Windows 2003. I keep getting this error (see images). I've looked for many solutions and one of them is to copy CLR from rootCA (which is a standalone server) to SubCA server (something like this http://itcalls.blogspot.fr/2013/08/how-to-publish-new-certificate.html) but I'm not sure about this and I do not want to take such a big risk knowing the 802.1x is enabled on LAN. Any one wants to share with their experience ?

Below is the error:

enter image description here

And after choosing "Cancel", I then had: enter image description here

Sam Doxy
  • 446
  • 4
  • 7

1 Answers1

0

Look at the CRL Distribution Point extension on the SubCA certificate. This will tell you where the Root CA's CRL needs to be for the SubCA (and others) to access it.

If it's a HTTP URL, simply publish the Root CA's CRL on the webserver, remembering to rename the file to be identical to the URL if required.

If it's an LDAP URL, place the Root CA's CRL in AD using on any domain computer:

certutil -dspublish -f <CRL filename>

You may possibly have both HTTP and LDAP URLs, in which case you should carry out both procedures.

The LDAP URL may take time to replicate, therefore you can also add the CRL to the SubCA's local computer store to speed things up, by running the following on the SubCA:

certutil -addstore -f Root <CRL filename>
garethTheRed
  • 4,539
  • 14
  • 22
  • CRL are configured to be published by default throught LDAp/HTTP/ and file share My other queqtion is that if certutil -dspublish -f command is "fangerouse" or harmless (I have no LAB so all changes are made to production environment) – Sam Doxy Nov 07 '17 at 09:30