This is part Oops of the (Legacy) Building a CA Hierarchy series. If you're just starting, you might want to read the other parts:

Part 1. Building the Root CA
Part 2. Configuring the Root CA
Part 3. Building the Enterprise CA
Part 4. Configuring the Enterprise CA
Part Oops. How I Screwed Up


In the first four parts of my series on configuring Windows 2003 Certificate Authorities I configured the AIA and the CDP as shown here:

Turns out there's one major problem with this. When you renew the CA certificate, the AIA and CDP break.

The fix is to change the configuration so that for the AIA, we include the CertificateName variable in each path (in the same place in each file name); for the CDP, we include the CRLNameSuffix variable. Each of these adds the certificate number to the path.

My new AIA paths for Certificate #1 will therefore be:

  • http://pki.pdconsec.net/PDConSec-RootCA(1).CRT for the root CA
  • http://pki.pdconsec.net/PDConSec-CA1(1).CRT for the first CA
  • http://pki.pdconsec.net/PDConSec-CA2(1).CRT for the second CA

The CRL paths will have the same formats:

  • http://pki.pdconsec.net/PDConSec-RootCA(1).CRL for the root CA
  • http://pki.pdconsec.net/PDConSec-PolicyCA1(1).CRL for the first CA
  • http://pki.pdconsec.net/PDConSec-PolicyCA2(1).CRL for the second CA

To get around the need to update old certificates, I continue to publish the old CRL to the old path name (it's just a file copy).