Forum Discussion
Certificate Authority Revocation issues: CRL db lost in migration
We currently have a CA which was migrated from a retired server no longer available - over 6 months now but they didn't complete the migration, and the revocation database is missing. We're now experiencing issues with certs issued but the former server that it cannot issue renew certs. What is the best approach to this?
- I can create another CA server but what about the root certificate of the current one?
- How do you point renew requests to the new server if there is no revocation DB for the already issued certs?
- What about the current certs issued by the current server if I migrate the current one to a new CA?
- I do have copies of the system32\certsrv folder and CA backup from the retired server, but this backup was used to migrate the current one which resulted in its current state. Can the revocation db just be imported?
Any help would be appreciated! Thanks.
1 Reply
Hello, prepare new server with AD CS in “Recovery CA” mode.
-Stop the service (net stop certsvc), copy from backup the .edb, .log and edb.chk files to C:\Windows\System32\CertLog.
-Run certutil -recoverdb, then net start certsvc.
-Regenerate the CRL with certutil -crl.
This way you keep the same root cert, renewals will use the CDP/AIA already in DNS and all previous revocations will be available again.
