For this scenario, as long as the private/public key pairs exist you can manually sign a CRL and publish it to get breathing room while you recover the original CA server installation. Even if it only exists in a PFX file and the original CA server is gone you should still be able to import the PFX file to another server and do the re-signing parts there - the key point is getting an updated valid CRL out that you can publish so that clients and domain controllers can locate CRL's so that CRL-checking will succeed again.
Example: to sign a new CRL that is valid from the current time and 14 days into the future, you can run the following if the private key of the CA that signed the CRL exists locally:
certutil -sign < old expired CRL file.crl > < new valid CRL file.crl > now+14:00 -18.104.22.168
This will produce a new valid CRL file that you can then publish to the CDP locations that are defined on the issued certificates. The -22.214.171.124 option removes any existing Delta CRL from the new CRL so you don't have to worry about having to publish a new Delta CRL if any was present on the old CRL.
How you publish the CRL depends on the CDP, for an HTTP CDP you would most likely need to manually copy the CRL file to the web server. For an LDAP CDP you should be able to use Certutil to publish the CRL.
Example: to publish the CRL to the issuing SubCA object:
certutil -dspublish < new valid CRL file.crl > SubCA
This should publish the updated valid CRL to the issuing CA's object in Active Directory.
- Ingolfur Arnar Stangeland
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.