I have recently migrated our Enterprise Sub Issuing CA from 2008r2 to 2012. Everything went well.. Or so I thought. This is the guide i followed: http://technet.microsoft.com/en-us/library/ee126170(WS.10).aspx
It seems like the CRL check is failing for certificates issued prior to the migration.
Sample certificate used for testing. Running certutil -verify <cert.cer>
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Wrong Issuer "Certificate (0)" Time: 0
[0.0] ldap:///CN=XXXXX,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=XXX,DC=se?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (1)" Time: 0
[0.1] ldap:///CN=XXXXX,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=XXX,DC=se?cACertificate?base?objectClass=certificationAuthority
---------------- Certificate CDP ----------------
No IDP Intersection "Base CRL (0140)" Time: 0
[0.0] ldap:///CN=XXXXX,CN=XXXX,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=XXX,DC=XX?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Delta CRL (0140)" Time: 0
[0.0.0] ldap:///CN=XXXXXX,CN=XXXX,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=XXXX,DC=XX?deltaRevocationList?base?objectClass=cRLDistributionPoint
Verified "Delta CRL (0140)" Time: 0
[0.0.1] http://pki.domain.com/XXXXXX+.crl
No IDP Intersection "Base CRL (0140)" Time: 0
[1.0] http://pki.domain.com/XXXXXX.crl
Verified "Delta CRL (0140)" Time: 0
[1.0.0] ldap:///CN=XXXXX,CN=XXXX,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=XXX,DC=XX?deltaRevocationList?base?objectClass=cRLDistributionPoint
Verified "Delta CRL (0140)" Time: 0
[1.0.1] http://pki.domain.com/XXXXXX+.crl
---------------- Base CRL CDP ----------------
OK "Delta CRL (0140)" Time: 0
[0.0] ldap:///CN=XXXXX,CN=XXXXX,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=XXX,DC=XX?deltaRevocationList?base?objectClass=cRLDistributionPoint
OK "Delta CRL (0140)" Time: 0
[1.0] http://pki.domain.com/XXXXXX+.crl
---------------- Certificate OCSP ----------------
Verified "OCSP" Time: 0
[0.0] http://pki.domain.com/ocsp
I have not renewed any CA certificates during the migration.
In Enterprise PKI view everyhing is OK. All locations is just like before and they all work and I can access them both from server and clients.
"View CRLs" on "Revoked Certificates-Properties shows status OK on all keys and both delta and base.
Running Certutil -url <url> and providing an "Pre migration" certificate show "VERIFIED" on Delta location but all base locations says "NO IDP Intersection" ???
I have tried to republish the CRL both to local store and domain store. I suspect the problem is located to the CDP store somehow, but I actually do not know.
Please let me know if you have any slight clue of what it might be.
--- Update
Just found this difference in the binary data for the old and new certificates.
Old:
2.5.29.31: Flags = 0, Length = f3
CRL Distribution Points
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=ldap:///CN=CAXxxx(1),CN=CAxxx,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
URL=http://pki.domain.com/CAXxxx(1).crl
New:
2.5.29.31: Flags = 0, Length = e7
CRL Distribution Points
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=ldap:///CN=CAXxxx(1),CN=CAxxx,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=Domain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
URL=http://pki.domain.com/CAXxxx(1).crl
Would this mean something? Has it to anything to do with the new features of 2012 with international language support?