Hi Technet,
I'm currently in the process of setting up a new subordinate CA. We're using our current OpenSSL root CA to sign the CSR for our Windows Subordinate CA. Unfortunately we're having a few issues with duplicate subordinate certificates. So far i've:
1) I setup the host and created a CSR which was passed over to be signed via the Root CA
2) The root CA signed the CSR and set http locations for AIA and CRL
3) The signed CSR was then uploaded onto the subordinate CA
Unfortunately, once uploaded we found that there were a few issues with the CRL location, so the original CSR was resigned with the new CRL location set and then uploaded to the subordinate. Long story short, we've ended up with 3 certificates on our subordinate CA, and we can't seem to revoke the 2 incorrect certs (containing the incorrect CRL locations):
![]()
So from the root CA we've revoked cert #0 and #1. If i go to the CRL location i can see that the CRLs for the old certs are showing. I've uploaded the CRL to C:\Windows\System32\CertSrv\CertEnroll and can see the updated CRL via MMC > Intermediate CAs > Certificate Revocation List. Unfortunately the certificates still appear under the properties > general tab on certificate authority as per the above. They're not showing as revoked.
I've tried removing the certificates from MMC > Personal > Certificates and from C:\Windows\System32\CertSrv\CertEnroll but they instantly reappear. Worth noting that the only location we publish CRLs to is a webpage.
Any help on this would be greatly appreciated.
Apologies, my knowledge of Windows PKI is fairly limited. There may be something very obvious that i'm not currently doing.
Thanks,
R
I'm currently in the process of setting up a new subordinate CA. We're using our current OpenSSL root CA to sign the CSR for our Windows Subordinate CA. Unfortunately we're having a few issues with duplicate subordinate certificates. So far i've:
1) I setup the host and created a CSR which was passed over to be signed via the Root CA
2) The root CA signed the CSR and set http locations for AIA and CRL
3) The signed CSR was then uploaded onto the subordinate CA
Unfortunately, once uploaded we found that there were a few issues with the CRL location, so the original CSR was resigned with the new CRL location set and then uploaded to the subordinate. Long story short, we've ended up with 3 certificates on our subordinate CA, and we can't seem to revoke the 2 incorrect certs (containing the incorrect CRL locations):
So from the root CA we've revoked cert #0 and #1. If i go to the CRL location i can see that the CRLs for the old certs are showing. I've uploaded the CRL to C:\Windows\System32\CertSrv\CertEnroll and can see the updated CRL via MMC > Intermediate CAs > Certificate Revocation List. Unfortunately the certificates still appear under the properties > general tab on certificate authority as per the above. They're not showing as revoked.
I've tried removing the certificates from MMC > Personal > Certificates and from C:\Windows\System32\CertSrv\CertEnroll but they instantly reappear. Worth noting that the only location we publish CRLs to is a webpage.
Any help on this would be greatly appreciated.
Apologies, my knowledge of Windows PKI is fairly limited. There may be something very obvious that i'm not currently doing.
Thanks,
R