Root CA vs MultiCert - wrong subscribe CRL files

  • Thread starter Thread starter Ilya Lubimov
  • Start date Start date
I

Ilya Lubimov

Guest
Good day to all.

We have deploy standalone root ca for our network and sub ca in AD infrastructure. At some point of time when subCA reboots it-can't start - reason: no CDP is accessable. I look at CRL files on CDP and see thas it's very old, so i refresh it from RootCA. At this point PKI msc console shows that crl files not old, but not accessable! I run certutil -verify crl crt and get that my CA didn't create that CA file (What!?) and ca key id not equal key id. So now i see, that CRL CA version is 0.0, and RootCA Cert have CA Version 1.1 and the second (old) certificate on CA have CA version 0.0.

I have an oldest CRL file that have CA version 1.1. So whats wrong? Whats happened so CA now used their old cert (till 2024y) and now newest (till 2039y)

certutil -verify crl cert_2039 result:

The name of the subject of the CA corresponds to the name of the provider CRL
ERROR: CA did not issue this CRL: signature verification failed
ERROR: CA key ID does not match key ID
No key center name
No key center serial number
WARNING. CRL CA version does not match certificate CA version

CertUtil: -verify command NOT COMPLETE: 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)
CertUtil: Invalid data.

certutil -verify crl cert_2024 result

The name of the subject of the CA corresponds to the name of the provider CRL
CRL Signature Valid
The key ID of the CA corresponds to the key ID
No key center name
No key center serial number

ARootCA.crl is a certificate issued by. \ ARootCA.crt
CertUtil: -verify - command completed successfully.


How can i switch CA on cert-39?

The name of the subject of the CA corresponds to the name of the provider CRL ERROR: CA did not issue this CRL: signature verification failed ERROR: CA key ID does not match key ID No key center name No key center serial number WARNING. CRL CA version does not match certificate CA version
The name of the subject of the CA corresponds to the name of the provider CRL ERROR: CA did not issue this CRL: signature verification failed ERROR: CA key ID does not match key ID No key center name No key center serial number WARNING. CRL CA version does not match certificate CA version
The name of the subject of the CA corresponds to the name of the provider CRL ERROR: CA did not issue this CRL: signature verification failed ERROR: CA key ID does not match key ID No key center name No key center serial number WARNING. CRL CA version does not match certificate CA version

Continue reading...
 
Back
Top