Migrating a CRL Distribution Point

Certificate Revocation List (CRL) distribution points hold files which store the serial numbers of all certificates that have revoked by the issuing CA. Each issued certificate stores the address of CRL distribution points that have information about whether or not the certificate is valid.

The location of CRL Distribution Points (CDP – a case where you take one acronym and tuck it inside another) is written into the certificate when the certificate is issued. You configure the CDP location as part of the CA properties.

When a device that consumes a certificate is unable able to perform a check of the designated CDP for a CRL, the device rejects the certificate as invalid.

Given this information, you don’t have to do much thinking about it to figure out that the most challenging aspect of CDP migration is that there will be a number of certificates in circulation that have the CDP address hardwired in.

For example, if you used the CA to issue some IPsec certificates that have a 2 year lifespan, then at least one of the CDPs referenced in the certificates will need to be available, otherwise the IPsec certificates won’t be accepted. The reality for most organizations is that they don’t configure alternate CDPs for their CAs and that they just use their CAs in their default configuration.

It means that when migrating the CA from Server 2003 to Server 2012 R2, you’ll need to do one of the following:

In the previous articles about upgrading CAs I went through the process of migrating from a CA running Server 2003 that had a specific name to a CA running Server 2012 R2 that had the same name. You’ll probably need to follow this procedure for your CDP as well.

When you are configuring your next CA, ensure that you configure one or more CDPs that are located on computers other than the CA. A single CDP can host CRLs from multiple CAs, so you can even consolidate them if necessary. This way, next time around, you can upgrade or migrate the CDPs as needed independently of the CA.