none
CRL Validity Period and an offline Root CA RRS feed

  • Question

  • Hi, I was hopeing someone could help me understand this a little better! I am designing our PKI solution and have been trying to determine what to set the CRL Validity periods to on our offline root CA and on the online enterprise CA. I have seen a lot of different posts about how this should be configured but is there a best practice? Also, if having a root CA be offline is recommeneded, how does one publish the CRL from it to the issuing CAs? do we have to keep turning it on to issue the CRL and then turn it off again? if the issuing CA's are checking for CRLs - won't it cause an issue when they cannot contact the root CA since it is offline? 

    Thanks for your help!

    Monday, July 25, 2011 5:33 PM

Answers

  • Hi, I was hopeing someone could help me understand this a little better! I am designing our PKI solution and have been trying to determine what to set the CRL Validity periods to on our offline root CA and on the online enterprise CA. I have seen a lot of different posts about how this should be configured but is there a best practice? Also, if having a root CA be offline is recommeneded, how does one publish the CRL from it to the issuing CAs? do we have to keep turning it on to issue the CRL and then turn it off again? if the issuing CA's are checking for CRLs - won't it cause an issue when they cannot contact the root CA since it is offline? 

    Thanks for your help!


    In most of my PKI deployments, I use 6 months or 1 year CRL lifetimes for the offline CAs. It is amazing how many customers can't even cope with a manual process that happens once a year, let alone twice a year! :)

    As part of the process, you move the new CRL from the offline servers to the online CRL publication location, which could be your issuing CAs, or another web server (assuming you have HTTP CDPs). Once there, it will be valid for its entire lifetime, e.g. for up to six months or a year. Close to expiry yo uwill need to repeat the process.

    For online CRL lifetimes, I tend to use 7 days for the base CRL and 1 day for delta CRLs.

    This is worth a read: http://blogs.technet.com/b/askds/archive/2009/10/13/designing-and-implementing-a-pki-part-ii.aspx and there is also a great MS press book called Windows Server 2008 PKI and Certificate Security.

    Cheers

    JJ

     


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Tuesday, July 26, 2011 11:20 PM
    Moderator

All replies

  • There is no best practice that fits all scenarios. Therefore, it is your responsibility to determine what the maximum period for revocation should be. Generally speaking you would decide for short living CRL lifetimes if the CA issues authentication certificates. For a security point of view, CAs that are issuing encryption certificates might have longer CRL lifetimes. That said, it would require that you have at least two different issuing CAs for encryption and signing certificates. Also, one could argue, that for authentication certificates it would be easier to disable the user account than revoking the auth cert. It is a complex decision matrix.

    For the issuing CA, you could start with a validity time of 7 days. If that's too short or to long you could change the validity time at your convenience. Also Delta-CRLs should be considered. But be careful: If either the base CRL or delta CRL is not available, your clients will fails with certificates.

    In regards of the root CA: Yes, you must turn on the root and the subordinate CAs are requiering a valid CRL from the root.

    Tuesday, July 26, 2011 7:25 AM
  • Hi, I was hopeing someone could help me understand this a little better! I am designing our PKI solution and have been trying to determine what to set the CRL Validity periods to on our offline root CA and on the online enterprise CA. I have seen a lot of different posts about how this should be configured but is there a best practice? Also, if having a root CA be offline is recommeneded, how does one publish the CRL from it to the issuing CAs? do we have to keep turning it on to issue the CRL and then turn it off again? if the issuing CA's are checking for CRLs - won't it cause an issue when they cannot contact the root CA since it is offline? 

    Thanks for your help!


    In most of my PKI deployments, I use 6 months or 1 year CRL lifetimes for the offline CAs. It is amazing how many customers can't even cope with a manual process that happens once a year, let alone twice a year! :)

    As part of the process, you move the new CRL from the offline servers to the online CRL publication location, which could be your issuing CAs, or another web server (assuming you have HTTP CDPs). Once there, it will be valid for its entire lifetime, e.g. for up to six months or a year. Close to expiry yo uwill need to repeat the process.

    For online CRL lifetimes, I tend to use 7 days for the base CRL and 1 day for delta CRLs.

    This is worth a read: http://blogs.technet.com/b/askds/archive/2009/10/13/designing-and-implementing-a-pki-part-ii.aspx and there is also a great MS press book called Windows Server 2008 PKI and Certificate Security.

    Cheers

    JJ

     


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Tuesday, July 26, 2011 11:20 PM
    Moderator
  • Thank you for your responses! This makes it more clear - I did read the entire MS press book this week and it's a great resource - was still a little confused though so thanks!

    Cheers,

    Reena

    Wednesday, July 27, 2011 2:15 PM