|
Posted by Joe on March 27, 2007, 3:32 am
If you were Registered and logged in, you could reply and use other advanced thread options
> jwdaigle@nospam.nospam says...
>>
>> > jwdaigle@nospam.nospam says...
>> >> I have an Online issuing CA in an server 2003 R2 AD environment. When
>> >> I
>> >> first brought the CA up, I mistyped the AIA & CDP extensions. I typed
>> >> http::// (note the double ::). I have now seen the error of my ways,
>> >> so
>> >> went to the CA administration applet, and corrected it.
>> >>
>> >> However, PKIView is not seeing the updates on that same server.
>> >>
>> >> Do I need to somehow republish or reissue the certificate and/or CRL
>> >> now
>> >> that the correct AIA & CDP URLs are specified?
>> >>
>> >> Thank you for any information,
>> >>
>> >> Joe
>> >>
>> >>
>> >>
>> > If I remember correctly, the PKIView information is
>> > being taken from the latest CA exchange certificate
>> > (validity period is 1 week) issued by the CA.
>> > If you delete the certificate out of the CA's local
>> > machine store, you should request a new one, with the
>> > correct information
>> >
>> > Brian
>>
>> Ah, I see. I have been driving myself crazy trying to figure out how to
>> fix
>> my typing mistake. I would change it, wait for AD to update, and then
>> check
>> pkiview - still the same.
>>
>> But now I notice that all issued certificates have the incorrect AIA &
>> CDP
>> in them (with the double ::). I have 40 workstation authentication
>> certificates that are "wrong". And they dont expire for a year :-(.
>> Is
>> there a way that I can change their expiration date? Maybe I could
>> update
>> the Workstation Authentication template to have them expire in a day or
>> something? Would that work?
>>
>> As far as PKIView, not a big deal, I just checked and the CA Exchange
>> cert
>> expires tomorrow, which is your memory is correct should fix the PKIView
>> issue.
>>
>> Thank you very much for your help,
>>
>> Joe
>>
>>
> Unfortunately, you are going to have to get to the systems and replace
> the certificates. One easy way, if you are using autoenrollment, is to
> create a new certificate template that supercedes the Workstation
> Authentication certificate and enables autoenrollment.
> This will cause the workstations to re-enroll and replace the previous
> (read as bad) certificates
> Brian
Hi Brian - I dont know if this what the "right" thing, but while looking
around, I noticed there is a "reenroll all certificate holders" in
Certtempl.msc. It sounded like what I wanted, so I tried it. It seems that
all the workstations are now enrolling a new certificate, which is what I
think I wanted to do. It appears that it bumps the template version number,
which maybe triggers all the certificates to re-enroll? Dont know, but so
far so good.
I also did it to the CA Exchange template to see if it will fix my
pkiview.msc issue, but hasnt re-enrolled yet.
Thanks for all your help, it is really cool to have someone with your
knowledge hanging out in this group.
Joe
| 
XML site map