Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.
Consider the following disaster recovery scenario:
For this scenario, as long as the private/public key pairs exist you can manually sign a CRL and publish it to get breathing room while you recover the original CA server installation.
Even if it only exists in a PFX file and the original CA server is gone you should still be able to import the PFX file to another server and do the re-signing parts there - the key point is getting an updated valid CRL out that you can publish so that clients and domain controllers can locate CRL's so that CRL-checking will succeed again.
Example: to sign a new CRL that is valid from the current time and 14 days into the future, you can run the following if the private key of the CA that signed the CRL exists locally:
certutil -sign <old expired CRL file.crl> <new valid CRL file.crl> now+14:00 -18.104.22.168
This will produce a new valid CRL file that you can then publish to the CDP locations that are defined on the issued certificates.The -22.214.171.124 option is optional and removes any references to existing Delta CRL´s from the new CRL so you don't have to worry about having to publish a new Delta CRL if any was present on the old CRL.You might however opt instead to sign both a new Delta CRL and a new Base CRL and publish both to your CPD's instead of removing the Delta CRL OID (the point being that a new Base CRL that refers to an expired Delta CRL won't help address the problem).
How you publish the CRL depends on the CDP, for an HTTP CDP you would most likely need to manually copy the CRL file to the web server and overwrite the old expired CRL on it.For an LDAP CDP you should be able to use Certutil to publish the CRL.
Example: to publish the CRL to the issuing SubCA object:
certutil -dspublish <new valid CRL file.crl> <SubCA Name>
This should publish the updated valid CRL to the issuing CA's object in Active Directory.