Certificate Authority disaster recovery steps when smartcard logon is required but no valid CRL can be published

  • Article

[Editor’s note: this is a reprinted post from the AD Troubleshooting Blog . If you’re not already a subscriber to that blog, you absolutely need to add it to your feed. Ingolfur is a Sr. Support Escalation Engineer in Sweden and a very smart dude - with rather odd hair - who deserves your attention. Make sure you keep this post in your back pocket; if you ever need it, you are going to need it in a hurry – Ned]

Consider the following disaster recovery scenario:

  • The CA has become temporarily unavailable, the current CRL and Delta CRL have expired and revocation checking is failing which is preventing smartcard logons.
  • You have the private/public key pair of the CA certificate available and want to quickly get a new valid CRL out for revocation checking to start succeeding again.

For this scenario, as long as the private/public key pairs exist you can manually sign a CRL and publish it to get breathing room while you recover the original CA server installation. Even if it only exists in a PFX file and the original CA server is gone you should still be able to import the PFX file to another server and do the re-signing parts there - the key point is getting an updated valid CRL out that you can publish so that clients and domain controllers can locate CRL's so that CRL-checking will succeed again.

Example: to sign a new CRL that is valid from the current time and 14 days into the future, you can run the following if the private key of the CA that signed the CRL exists locally:

certutil -sign <old expired CRL file.crl> <new valid CRL file.crl> now+14:00 -2.5.29.46

This will produce a new valid CRL file that you can then publish to the CDP locations that are defined on the issued certificates. The -2.5.29.46 option removes any existing Delta CRL from the new CRL so you don't have to worry about having to publish a new Delta CRL if any was present on the old CRL.

How you publish the CRL depends on the CDP, for an HTTP CDP you would most likely need to manually copy the CRL file to the web server. For an LDAP CDP you should be able to use Certutil to publish the CRL.

Example: to publish the CRL to the issuing SubCA object:

certutil -dspublish <new valid CRL file.crl> SubCA

This should publish the updated valid CRL to the issuing CA's object in Active Directory.

Further details:
https://blogs.technet.com/b/instan/archive/2008/12/08/requiring-smart-cards-for-logon-avoiding-the-outage-caused-by-expired-crl-s.aspx

- Ingolfur Arnar Stangeland