Hi All, I have recently migrated my old CA from a WIN2K server to WIN2K8 server. I have followed the migration guide as per Microsoft's instructions. I am having trouble adding new CRL Distribution Points for the existing certificate. I have not completed this before and am confused. I added the new locations in the CA Name > Properties > Extensions to point to the new server but when i try a URL fetch, it doesnt reference these new locations. How can i get the existing certificate to contain the original paths as well as the new paths? Your help is appreciated

On Fri, 30 Dec 2011 05:22:50 +0000, Angelo AA wrote: Hi All, ?I have recently migrated my old CA from a WIN2K server to WIN2K8 server. ?I have followed the migration guide as per Microsoft's instructions. ?I am having trouble adding new CRL Distribution Points for the existing certificate. ?I have not completed this before and am confused. ?I added the new locations in the CA Name > Properties > Extensions to point to the new server but when i try a URL fetch, it doesnt reference these new locations. How can i get the existing certificate to contain the original paths as well as the new paths? You cannot modify an existing certificate. Certificates are signed objects, and as such, any change to the object would invalidate the certificate. You're not understanding the purpose of that step in the instructions. It does not modify an existing certificate, it modifies the registry on the CA so that new certificates, issued after you've made the change and restarted the service, contain the new URLs. You're going to have to renew or reissue all of your existing certificates to reflect the change. Paul Adare MVP - Forefront Identity Manager http://www.identit.ca If God had intended Man to program, we would be born with serial I/O ports.

On Fri, 30 Dec 2011 05:22:50 +0000, Angelo AA wrote: Hi All, ?I have recently migrated my old CA from a WIN2K server to WIN2K8 server. ?I have followed the migration guide as per Microsoft's instructions. ?I am having trouble adding new CRL Distribution Points for the existing certificate. ?I have not completed this before and am confused. ?I added the new locations in the CA Name > Properties > Extensions to point to the new server but when i try a URL fetch, it doesnt reference these new locations. How can i get the existing certificate to contain the original paths as well as the new paths? You cannot modify an existing certificate. Certificates are signed objects, and as such, any change to the object would invalidate the certificate. You're not understanding the purpose of that step in the instructions. It does not modify an existing certificate, it modifies the registry on the CA so that new certificates, issued after you've made the change and restarted the service, contain the new URLs. You're going to have to renew or reissue all of your existing certificates to reflect the change. Paul Adare MVP - Forefront Identity Manager http://www.identit.ca If God had intended Man to program, we would be born with serial I/O ports.

Hi, thanks for the reply. Do i need to reissue all of our existing certificates? So, in order for the old certificates to continue to work, i need to keep a reference to the old CA server until all of the old certificates expire? is a pointer or A record good enough? I would create a record that would route all queries to the old CA server to be tasked to the new CA server. The only problem i see here is that i have migrated from WIN2K to WIN2K8 and therefore the system folder locations are different between the two OS' i.e C:\WINNT and C:\WINDOWS. will this cause issues for the existing certificates and the old server db location? I apologise for not understanding fully as this is the first CA migration i have had to perform and want to get it working right in the test lab before putting into production. Your help is appreciated Regards,

Hey Angelo- I'm currently working through this process, as well, and found the same confusion - this Technet makes it a bit clearer. http://technet.microsoft.com/en-us/library/cc742471(WS.10).aspx As I understand it, the CRL Distribution Point is an LDAP Path and is built in AD based on variables. You should already have one container in AD that references the old host name in AD, and the container referencing the new hostname will be created when you install AD CS. This process just tells the new server to also publish the CRL at the old location in AD, as well, so old certificates still can find the CRL. There should be no need to fancy redirection the CRL will exist in two locations. I'm not sure how the path locations would impact this, or the migration in general (i'm going from 2003->2008R2). As I mentioned, this is just based on what I've read and has no real world application (I'll be labbing this beforehand). I'll be keeping an eye on this thread - hopefully someone with a bit more experience can confirm or debunk this thought process. Wade