CA and HSM - CDP expiring RRS feed

  • Question

  • hello,

    my microsoft CA has two tiers 

    the cdp for the CA root is going to expire on the 7th of december

    our pki env identify a CA integrated with the HSM 

    I am wondering if to renew the cdp a key ceremony(hsm side) is necessary ?



    • Edited by chupito678 Tuesday, October 23, 2018 4:07 PM
    Tuesday, October 23, 2018 2:54 PM

All replies

  • Do you mean the CRL for the Root CA?

    If your environment has an HSM that manages the keys for your CAs then yes, you'll need to perform your key ceremony to then publish a new CRL on the Root CA. 

    Once you have the new CRL you'll need to publish to AD (assuming an MS network) after placing the new CRL on your CDP server, typically a domain-joined web server.

    Having said that, waiting until six weeks before a CRL expires to publish is not best practice. Documentation is everything and this should be available to walk through the procedures for CRL renewal, key ceremony and all other PKI related tasks, events, maintenance and procedures as well as DR.

    Hope that helps,


    Tuesday, October 23, 2018 4:17 PM
  • Yes , I mean the crl for the root ca, correct;

    what is the reason that a key ceremony is necessary,

    just to bring the ca online in order to publish the new crl, or for some other specific reason?

    do you have a specific weblink on how to perform these steps in an env where there is the hsm?



    Tuesday, October 23, 2018 6:59 PM
  • There is nothing online. This is part of your standard documentation that should have been created prior to building the PKI in a standard engagement.

    1) No, it is not a key ceremony

    2) You will still need to assemble the people required by the policies of your organization. These may or may not include:

    - Local Administrators on root CA

    - HSM administrators

    - HSM security control holders (PED keys, smart cards)

    - HSM PIN holders (for PED keys, smart cards)

    - Internal Audit or security policy team or notary public



    Tuesday, October 23, 2018 11:59 PM