This has been a crash course in PKI and I am taking over for a previous sysadmin which has made it even more interesting. I'm hoping that you smart folks can help me to better understand my configuration so that I can correct an issue with expiring/expired locations. Otherwise, I fear I might bugger it up even more.
Overview:
Offline Root CA - 2008 R2 SP1 - Not joined to the domain.
Online Issuing CA #1 - 2003 R2 SP2 - Joined to the domain (was supposed to be retired, I believe). I don't see any issues with this server.
Online Issuing CA #2 - 2007 R2 SP1 - Joined to the domain (was supposed to replace #1, I believe). This one has items that are expired/expiring.
I had a call that a user was receiving a certificate error when trying to connect to our MS Lync server, and when I checked the Online Issuing CA #2 server, I notice a pile of expired/expiring locations. I did a bunch of searching/reading and came to the conclusion that I would have export a new Root CA cert from my offline Root CA (Right-click Revoked Certificates, All Tasks, Publish the .CRL), manually copy it over to the online Issuing CA (C:\Windows\System32\CertSRV\CertEnroll), restart the ADCS service and then use the command Certutil -addstore -f CA cert.crl and then update AD with Certutil -f -dspublish cert.crl.
That seemed to clear the expiry notices for the "Issuing CA 2 (V0.0)", but the following scrubbed screen shots are what I'm left with.
On the first, when the Root CA branch is selected, you can see "CDP Location #2 Expired". It expired last month. This is a HTTP location (one of 2 HTTP locations that are present):
In the second, when the "Issuing CA (V7.0)" branch is selected, you can see a bunch of items expiring:
The AIA locations and CA Certs themselves won't expire for 19 more years.
I'm uncertain as to why we have 2 Issuing CA branches under the Root CA (V0.0 and V7.0?), and very curious as to what I am missing or what I may have done incorrectly to have expired/expiring items remaining. I realize that the MMC snapin isn't totally reliable, so I'm looking for ways to verify the integrity of PKI across the domain and be sure that I haven't messed anything up. I would also like to retire the old CA, but want to make sure I decommission it in such a way that there is no impact to the production environment.
Any insight would be more than appreciated.