This is part Oops of the Building a CA Hierarchy series. If you're just starting, you might want to read the other parts:
In the first four parts of my series on configuring Windows 2003 Certificate Authorities I configured the AIA and the CDP as shown here:
Turns out there's one major problem with this. When you renew the CA certificate, the AIA and CDP break.
The fix is to change the configuration so that for the AIA, we include the CertificateName variable in each path (in the same place in each file name); for the CDP, we include the CRLNameSuffix variable. Each of these adds the certificate number to the path.
My new AIA paths for Certificate #1 will therefore be:
- http://pki.pdconsec.net/PDConSec-RootCA(1).CRT for the root CA
- http://pki.pdconsec.net/PDConSec-CA1(1).CRT for the first CA
- http://pki.pdconsec.net/PDConSec-CA2(1).CRT for the second CA
The CRL paths will have the same formats:
- http://pki.pdconsec.net/PDConSec-RootCA(1).CRL for the root CA
- http://pki.pdconsec.net/PDConSec-PolicyCA1(1).CRL for the first CA
- http://pki.pdconsec.net/PDConSec-PolicyCA2(1).CRL for the second CA
To get around the need to update old certificates, I continue to publish the old CRL to the old path name (it's just a file copy).