Hi,
I have installed a new Windows 2012 server based PKI infrastructure with a offline CA and a Issuing CA.
I first issued a IssuingCA cert from the Offline CA server , everything seemed fine. But I needed to change the CRL locations for the Offline CA (include the http:// links) and issued a new IssuingCA cert and revoked the old one , everything went fine.
But then I noticed that the IssuingCA has two certificates and also makes two CRL files (one named serverca.crl and another serverca(1).crl).
Have revoked the old IssuingCA certificate and published new CRL from the offline CA , but still I have two IssuingCA certificates in the Issuing CA server.
So my question is how to remove the old revoked IssuingCA certificate from the IssuingCA ? , or should I remove the issuingCA completely and install a new one ? , and what is then correct way to clear the Active Directory and so on of all traces of the first IssuingCA ?
Also what should be published in the CRL and AIA paths for the OfflineCA should they be available on the public pki site (http://pki.customer.com/crl/) ?
Thanks
Best regards
Robert