ADCS CA Server disaster recovery steps when smartcard logon is required but no valid CRL can be published

  • Article

Consider the following disaster recovery scenario:

  • The CA has become temporarily unavailable, the current CRL and Delta CRL have expired and revocation checking is failing which is preventing smartcard logons.
  • You have the private/public key pair of the CA certificate available and want to quickly get a new valid CRL out for revocation checking to start succeeding again.

For this scenario, as long as the private/public key pairs exist you can manually sign a CRL and publish it to get breathing room while you recover the original CA server installation.

Even if it only exists in a PFX file and the original CA server is gone you should still be able to import the PFX file to another server and do the re-signing parts there - the key point is getting an updated valid CRL out that you can publish so that clients and domain controllers can locate CRL's so that CRL-checking will succeed again.

Example: to sign a new CRL that is valid from the current time and 14 days into the future, you can run the following if the private key of the CA that signed the CRL exists locally:

certutil -sign <old expired CRL file.crl> <new valid CRL file.crl> now+14:00 -2.5.29.46

This will produce a new valid CRL file that you can then publish to the CDP locations that are defined on the issued certificates.
The -2.5.29.46 option is optional and removes any references to existing Delta CRL´s from the new CRL so you don't have to worry about having to publish a new Delta CRL if any was present on the old CRL.
You might however opt instead to sign both a new Delta CRL and a new Base CRL and publish both to your CPD's instead of removing the Delta CRL OID (the point being that a new Base CRL that refers to an expired Delta CRL won't help address the problem).

How you publish the CRL depends on the CDP, for an HTTP CDP you would most likely need to manually copy the CRL file to the web server and overwrite the old expired CRL on it.
For an LDAP CDP you should be able to use Certutil to publish the CRL.

Example: to publish the CRL to the issuing SubCA object:

certutil -dspublish <new valid CRL file.crl> <SubCA Name>

This should publish the updated valid CRL to the issuing CA's object in Active Directory.

Further details:
http://blogs.technet.com/b/instan/archive/2008/12/08/requiring-smart-cards-for-logon-avoiding-the-outage-caused-by-expired-crl-s.aspx