I recently had to recreate a CA in an eDir 9.1.3 tree as it had been 10 years and it expired.

I am using certs issued from this CA for some internal web sites that are proxied by Access Manager.

I noticed now with the new certs that NAM is trying to check the revocation status of the cert, which is a good thing.

However, it is using the ldap: URI to do the check, not the http: URI (both are configured as default distribution points in the CRL object).

I have ldap configured to require TLS, so 389 is not allowed, hence, NAM cannot connect and verify the validity of the cert.

My question is, can I just delete the ldap: URI from the CRL Distribution Points and just leave the http: ones in there? Will I break anything? Or do I have to allow LDAP 389 for this? And if I do, is there a way to lock down LDAP so the cleartext URI is only valid for CRL checking?

And if I modify the CRL distribution points, do I have to reissue certs? Or re-distribute the trusted root?