none
Offline Root CA CDP

    Question

  • Hi, I am planning a two tier PKI with Windows 2008 R2. The root CA (RootCA1) will be offline and standalone.  Two subordinate issuing CAs (SubCA1 and SubCA2) will be enterprise and online.  Everything seems working fine in a test environment.  My questions are:

    1. I like not to publish the CDP  URL from the root CA, so the issuing CAs' certificates will not have the published CDP extension (I will configure  the AIA url). That way I don't have to copy CRLs regularly  from the offline root CA to the CDP.  The root CA likely will only issue two certificates to the sub CAs. If for whatever reasons, the sub CA's certificate need to be revoked, I can add  CDP URL to the root CA later, and renew/reissue the certificates for the sub CAs. Is this a bad idea?

    2. For the online issuing sub CAs, do I have to manually publish CRLs, or the CA will automatically publish the CRLs before the expiring date?

    Thank you.

    Frank Z

    Wednesday, August 22, 2012 3:15 PM

Answers

  • Frank,

    Your language is not clear <G>.

    The root CA certificate will not have a CDP/AIA per best practices

    The certificates issued by the root CA (including the issuing CA) must have an AIA and CDP extension.

    The certificates issued by the issuing CA must have an AIA and CDP extension

    Brian

    • Proposed as answer by Brian Komar [MVP] Thursday, August 23, 2012 9:40 PM
    • Marked as answer by FrankZebra Friday, August 24, 2012 4:06 PM
    Thursday, August 23, 2012 9:40 PM
  • > Is this a bad idea?

    definitely. You MUST configure both, CDP and AIA extensions on root CA. Otherwise, many applications will fail, because they will be unable to determine issuing CA revocation status.

    > For the online issuing sub CAs, do I have to manually publish CRLs, or the CA will automatically publish the CRLs before the expiring date?

    if you configure UNC or LDAP paths to publish CRLs, CAs will automatically update CRL files in these locations. Note that UNC paths are allowed only for file publication. For CRT/CRL file retrieval only HTTP and LDAP protocols are supported.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki


    Wednesday, August 22, 2012 3:44 PM

All replies

  • > Is this a bad idea?

    definitely. You MUST configure both, CDP and AIA extensions on root CA. Otherwise, many applications will fail, because they will be unable to determine issuing CA revocation status.

    > For the online issuing sub CAs, do I have to manually publish CRLs, or the CA will automatically publish the CRLs before the expiring date?

    if you configure UNC or LDAP paths to publish CRLs, CAs will automatically update CRL files in these locations. Note that UNC paths are allowed only for file publication. For CRT/CRL file retrieval only HTTP and LDAP protocols are supported.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki


    Wednesday, August 22, 2012 3:44 PM
  • Thanks for the quick answers, Vadim. 

    For the first question, just to clarify, my issuing CAs will have CDP configured, just the root CA will not. Does that make any difference? I guess I am not understanding the CRL checking process.

    Thanks again.

    Frank Z.

     

    Thursday, August 23, 2012 7:14 PM
  • Frank,

    Your language is not clear <G>.

    The root CA certificate will not have a CDP/AIA per best practices

    The certificates issued by the root CA (including the issuing CA) must have an AIA and CDP extension.

    The certificates issued by the issuing CA must have an AIA and CDP extension

    Brian

    • Proposed as answer by Brian Komar [MVP] Thursday, August 23, 2012 9:40 PM
    • Marked as answer by FrankZebra Friday, August 24, 2012 4:06 PM
    Thursday, August 23, 2012 9:40 PM
  • Thanks for the quick answers, Vadim. 

    For the first question, just to clarify, my issuing CAs will have CDP configured, just the root CA will not. Does that make any difference? I guess I am not understanding the CRL checking process.

    Thanks again.

    Frank Z.


    I think, this article will explain something: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=36

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Friday, August 24, 2012 3:12 AM
  • Vadims,

    Thanks for pointing me the great article. I understood it now.

    Friday, August 24, 2012 4:13 PM
  • Thanks, Brian.

    I got it now.

    Frank Z.

    Friday, August 24, 2012 4:13 PM