Question on losing Issuing CA RRS feed

  • Question

  • Hi

    Example scenario - we have an Enterprise PKI, Windows 2008 R2,  with a Root CA (offline) and multiple Subordinate CA's that issue the certs. The certificates in this example are authentication certs and we choose not to publish to AD.

    We then lose one of the Subordinate CA's. What effect does this have on clients trying to connect in? New certs can be issued from another Subordinate CA, however does the CRL/OCSP responder HAVE to be on the CA itself?

    And even if they aren't, does the fact that the CA's database is unavailable mean anything?

    Wednesday, January 8, 2014 12:53 AM


  • The CRL for the "failed" CA must be time valid. So you either need to get the CA back or need to do continual emergency CRL signings. This is only possible if you have all time valid versions of the failed CA's certificate and private key. If you do have them, you can run certutil -sign CRLFILE.CRL DD:00. For example, to sign the base CRL for a week validity period, you can use certutil -sign CRLFILE.CRL 7:00

    If you do not have the database, you lose the ability to revoke certificates easily.

    If you do not get those CRLs signed, all clients and servers that have certificates that were issued by the failed CA, will fail as soon as the CRLs expire.

    On the brighter side, the OCSP responder can be a separate server, that has its certificate issued by any CA that chains to a root trusted by the clients


    Wednesday, January 8, 2014 1:56 AM