We are using self-signed certificates for internal development machines and other internal connection encryption.
The certificates were created using Microsoft Certificate Server.
I need to move the certificate server from an old DC to a new DC, I am wondering how long the certificate server can be unavailable before the certificate cannot be verified and connections begin to fail.
I don't believe it is immediate, but I don't recall for sure.
Certificates will begin to fail validation once the published Certificate Revocation List (or Delta CRL, if they're in use) expires or is inaccessible (make sure that not all of your distribution points are on the CA itself). This will depend completely on your configuration, and may be anywhere from under an hour to several months.
The Enterprise PKI snap-in (
pkiview.msc) is a good resource for checking the status and expiration times of your CRLs, and you can check their configured lifetimes on the CA.For the standard CRL:
And the delta: