none
HA PKI with multiple SubCA's and CRL's RRS feed

  • Question

  • There are 2 main ways to make windows PKI highly available. Typically someone will cluster the service using windows cluster services and this way you have an active/standby issuing authority.

    However, I'd rather not deal with the complexity of shared storage, heartbeat networks, etc. What I'd like to do is just have my Root CA, and (2) subordinate CA's that have the same templates on them such that it doesn't matter which SubCA my clients get their cert from.

    The big issue is the CRL. I'd like to make put the CRL on IIS behind a hardware load balancer (most likely on (2) separate IIS servers from the SubCA's)

    My big question is, in all my searching I can't find any guidance on how to 'merge'? different CRL's from completely separate SubCA's into a master CRL list that my IIS servers can provide to my clients. In fact, let's just say there is only 1 IIS server with only 1 CRL.

    Problem is, there are 2 CRL's that I need to reconcile. 1 from SubCA1, and 1 from SubCA2. How do I reconcile these different CRL's into something my single IIS server can serve?

    EDIT: This person is basically asking the same question I am, and the last post in the thread sort of explains how they might accomplish this, but I don't really understand the answer.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/e568a95c-6999-4d62-9401-9727a8dd5c35/crl-in-two-issuing-ca-environment?forum=winserversecurity

    • Edited by cyr0nk0r Saturday, October 5, 2019 6:00 AM
    Saturday, October 5, 2019 5:44 AM

All replies

  • Having done more research, I understand that I can have subca1.crl, and subca2.crl both on a web server (or multiple web servers). I would then publish this web server as a CDP that contains my CRL's. However, the thing I don't understand and can't find in my searching is...... how does a windows client know to grab ALL the crl files in the directory?

    If this particular member server had its certificate issued from subca1 it would obviously know about the subca1.crl file since that's what it was told to check.... but how would the server know to also check subca2.crl when connecting to http://pki.domain.com ??

    That's the part I don't understand. How to tell servers about multiple CRL files that they need to check all of them. Not just the first one in a list.



    • Edited by cyr0nk0r Saturday, October 5, 2019 1:29 PM
    Saturday, October 5, 2019 1:28 PM
  • There are two things you should consider:

    1) CA may delegate CRL signing to other authority. It is called "indirect CRL". However, Microsoft does not support indirect CRLs.

    2) you can't have master CRL with revocation information from multiple issuers, because it breaks the logic of RFC5280. Per RFC, each certificate serial numbers (which are included in CRL) are unique per each CA. So your CRL may contain non-unique serial numbers (RFC violation) and can generate false-positive results when valid certficate is considered revoked, because same serial number from another CA is listed in CRL.

    Summary: the answer to your question is "no way". Either, clustering or deal with separate CRLs from each CA.


    Vadims Podāns, aka Crypt32
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: ASN.1 Editor tool.

    Saturday, October 5, 2019 2:04 PM
  • Having done more research, I understand that I can have subca1.crl, and subca2.crl both on a web server (or multiple web servers). I would then publish this web server as a CDP that contains my CRL's. However, the thing I don't understand and can't find in my searching is...... how does a windows client know to grab ALL the crl files in the directory?

    If this particular member server had its certificate issued from subca1 it would obviously know about the subca1.crl file since that's what it was told to check.... but how would the server know to also check subca2.crl when connecting to http://pki.domain.com ??

    That's the part I don't understand. How to tell servers about multiple CRL files that they need to check all of them. Not just the first one in a list.



    what you are asking is certainly violates many standards.

    Vadims Podāns, aka Crypt32
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: ASN.1 Editor tool.

    Saturday, October 5, 2019 2:05 PM
  • Hello,
    Thank you for posting in our TechNet forum.

    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?



    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 7, 2019 3:54 AM
    Moderator
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
    Thanks for your time and have a nice day!



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 9, 2019 2:35 AM
    Moderator