After renewing a level 2 CA over the weekend, I notice something concerning. The HTTP CDP in newly-issued certificates appears as I would expect (http://[WEBSITE]/[CA NAME](1).crl) however, the HTTP AIA has not changed after the renewal. Right now, the CA Certificate published in the HTTP AIA location is still the previous CA cert (still valid for a few more weeks). If I enter the http AIA value into a browser, it downloads that old certificate.
We are only using this CA for document signature. Interestingly enough, when I sign a document in Acrobat & check the certificate chain on the signature, it appears correct; the new CA certificate is in the chain. I'm guessing that Acrobat is leveraging LDAP vs. HTTP to grab the CA chain & CRL.
Still, I'm wondering if there's something I need to do in order for the HTTP AIA to appear correctly.
Here's what the AIA definition looks like in my CA configuration script:
-setreg CA\CACertPublicationURLs "2:http://certs.contoso.com/%3.crt\n3:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n1:E:\CertLog\%3.crt"
Thanks in advance!