I have been asked to implement a PKI infrastructure for my company to allow IAS (802.11x) authentication, EFS, SSL (internal only) and code signing. My thought is to create a two-tier solution. But my big question is about the offline root. I want to have an offline root so I can revoke the issuing CA in case of a compromise, but how do I handle the CRL.
The way I started configuring the root (based on Microsoft's best practice document) was to have the CRL produced every 26 weeks. The CRL will be referenced in the certs as being available via LDAP. So I am thinking that I will need to, every 26 weeks, power on the offline root, force a CRL production, copy the file to a domain computer and upload it into AD. IS that right?
Is there a way to have an indefinite life time? Business-wise what I am looking for is a way to publish the base CRL and then only issue new ones when I actually revoke a sub. ca cert. I do not perceive that I will need to revoke a sub. ca cert, but I want that capability.
Any thoughts? Am I stuck with remembering to power on the offline CA every 6 months and getting the new CRL?
Publication intervals depend on:
- Client Operating Systems
- CRL retrieval network load
- Delta CRL size
- Frequency at which certificates are revoked
- Replication Latency
- Registry settings:
Is there a way to have an indefinite life time?
No, you have to publish CRL at regular intervals that correspond to the CRL publication interval value. The actual offline CRL publication should be performed at a minimum of several days before the actual expiration of the previously issued CRL. This should be performed to provide a safety factor in case the offline root CA has a hardware or publication failure.
Please ensure that publishing the offline CRL at least several days before the previously issued CRL is set to expire. When the publication interval of the CRL has expired, the CA will be unable to validate the revocation list. Adequate time should be allotted to ensure that any errors or failures can be corrected and to enable actual publication and replication of the CRL to all CDP locations.
Parameters Set During CA configuration--->CRL Settings
Hope it helps.