Publishing CRLs to multiple forests


  • Heyo!

    :D So now that I have a proper two tier PKI configured. With an Offline Root CA and a Sub CA. 

    I configured my new Sub CA in the new Forest/Datacenter I was building for a complete over haul of the AD here.

    I decided to quickly google this question and came across this Technet Post.

    The difference here is I have an existing Enterprise Root in the old domain forest. I don't have too much interest in re-deploying it as a Sub CA, instead I'd much rather have any new servers/services be hosted in my new domain, and use IDGLA cross forest group nesting to accomplish my access permissions.

    The thing is most my end users sytems are still joined to the old domain, It's all part of my side-by-side migration plan to eventually move all user accounts and computer joined systems to the new domain, I just have a couple more servers, and services to migrate and configure accordingly (All this stuff takes a good amount of time to do properly).

    So, here's what I figured I could take my new Offline-Root-CA, and my new Sub-Root-CA and publish them in the old forest using the certutil -dspublish command. That's easy enough to make sure that the chains validation will be fine and trusted, but what about the CRL? Sure enough this is where the linked Technet post comes in. In short it the answer is:

    "When you have two or more forests, you should really only be using HTTP URLs for the CRLs.

    The HTTP location should be both internally and externally accessible (from both forests).

    You see what happens from your errors when you get into LDAP with the AD integration.

    You could place two LDAP URLs, but then you are choosing which forest will suffer through a non-access error (the second place URL).

    So, go with HTTP only"

    Now the HTTP location I have specified is available to all system in both forests, with that record being marked as available to all issued certificates, Am I safe to assume that revocations checks would fail for LDAP but succeed for HTTP?

    Would this still be the case even in a full two way trust between forests? both forest domains are reachable from each other...

    • Edited by Zewwy Monday, April 16, 2018 4:13 PM
    Friday, April 13, 2018 7:22 PM

All replies

  • Hello,

    Based on your description yes LDAP should failed and HTTP should work that's why I think in the configuration order of your CDP you should have HTTP first and then LDAP (Client have timeout regarding CRL checking).

    One must have can be to set up an Online Responder

    If you have a 2 way trust LDAP should work but you have to check the right on cRLDistributionPoint for your CA located in Configuration Naming Context

    Best Regards,

    Friday, April 27, 2018 8:04 AM
  • Feel free to tell us if the information was useful

    Best Regards,

    Thursday, May 17, 2018 4:33 PM