none
Subordinate Certificate CRL Auto renewal not happenning

    Question

  • Scenario:

    Root CA: Offline Standalone running on windows 2012R2

    Sub CA: Enterprise Subordinate CA running on windows 2012R2

    'Enterprise PKI' the the 'CDP Location #1' is getting expired every week. The 'DeltaCRL Location #1'  also follows the same after every day. Hence we had to renew the CDP CRL every time by running the below commands before it is getting expired.

    certutil -CRL

    certutil -dspublish -f -dc "dcname.domain.com" "c:\path\to\crl\crlname.crl"

    How we can automate this so that it will get automatically gets renewed. Any help would be great.

    Regards,

    SoumenG

    Tuesday, March 07, 2017 6:17 PM

Answers

  • Hi Cartman,

    Thank you so much for your reply.

    Yes, we have managed to solve the issue by scheduling the renewal of SUBCA.

    Currently we have stopped the certificate service in RootCA server and SubCA server can able to renew the CRL using this below scheduled batch job.

    Batch File Format:

    >CD C:\Windows\System32\Certsrv\CertEnroll

    >certutil -crl

    >certutil -dspublish -f -dc "DC-FQDN" "C:\Windows\System32\certsrv\CertEnroll\SUBCA.crl"

    >CD C:\Windows\System32\certsrv.exe

    >netstop certsvc

    >netstart certsvc

    >exit

    Regards,

    Soumen

    Monday, March 20, 2017 11:45 AM

All replies

  • Hi,

    How long did you set the CRL and Delta CRL publication interval?

    Renewing the CRL and publishing a new one is manually done since the Root CA is offline and that is why its better to make the CRL publish interval more than the default value so you won't do it frequently. You may also want to set an automated reminder before the next renewal date.

    Or you could set a task by task scheduler,to run this command weekly before it expires.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 08, 2017 6:33 AM
    Moderator
  • Hi Soumen,

    I assume for the moment that it's the Root CA CRL that keeps expiring. It would be expected behavior since it's an offline CA. You can check that by checking the name of the CA directly above the CDP Location #1 and Delta CDP Location #1 entry.

    For the Root CA, I would suggest the following steps to first limit and then eliminate the burden.

    1. Turn off the Delta CRLs. The Delta CRL is used when there are large numbers of revocations, to avoid having to publish and use the increasingly lengthy CRL every day. However, the Root CA probably has only one active issued certificate (the Sub CA) in the first place.

    You will find the settings for the CRLs in the Extensions tab of the Root CA Properties. Ensure that for each CRL Distribution Point the option Delta CRL Allowed is not checked. Then alter the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration\<Root CA Common Name>\CRLDeltaPeriodUnits and ...\CRLDeltaOverlapUnits and set both to 0 (disabled).

    2. Increase the Root CA CRL Period. 7 Days validity and 3 days overlap is default, but for an offline Root CA not generally considered necessary. The registry values ...\CRLPeriod(Overlap) and ...\CRLPeriod(Overlap)Units together control the validity and overlap of the CRL. You have to design for yourself a period you feel comfortable with, longer means if you have to revoke the Issuing CA it does not take effect until the Root CA CRL expired, shorter means more publishing work. Periods ranging from 30 days to 6 months for the validity period with a 10-35% overlap (the longer the validity period, the shorter the overlap) are not uncommon.

    3. Next, you can in fact make your stand-alone Root CA publish the CRL to Active Directory if the machine is a domain member. This automates the certutil -dspublish command. This can also be controlled from the extensions tab (checkbox Publish CRLs to this location).

    4. Then you can opt to schedule CRL publication by scheduling the Certutil -CRL command in a script as Certman suggested if you want to clear out the remaining workload. Assuming you have the Root CA machine offline, you'll need to leverage some form of Wake method that works for your situation. If you do that, you may also want to add event ID 26 of the CertificationAuthority to monitoring if you have it, as that will alert you if the CA Service is started.

    Kind Regards,

    Thursday, March 09, 2017 8:08 AM
  • Hi,

    I am checking to see if the problem has been resolved. If there's anything you'd like to know, please feel free to ask.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by SoumenG Monday, March 20, 2017 11:06 AM
    • Unmarked as answer by SoumenG Thursday, March 23, 2017 5:06 PM
    Friday, March 17, 2017 5:52 AM
    Moderator
  • Hi Cartman,

    Thank you so much for your reply.

    Yes, we have managed to solve the issue by scheduling the renewal of SUBCA.

    Currently we have stopped the certificate service in RootCA server and SubCA server can able to renew the CRL using this below scheduled batch job.

    Batch File Format:

    >CD C:\Windows\System32\Certsrv\CertEnroll

    >certutil -crl

    >certutil -dspublish -f -dc "DC-FQDN" "C:\Windows\System32\certsrv\CertEnroll\SUBCA.crl"

    >CD C:\Windows\System32\certsrv.exe

    >netstop certsvc

    >netstart certsvc

    >exit

    Regards,

    Soumen

    Monday, March 20, 2017 11:45 AM
  • Hi,

    Thank you for sharing to us.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, March 21, 2017 1:29 AM
    Moderator