none
CRL in two issuing CA environment RRS feed

  • Question

  • We have a two-tier CA infra with one issuing CA. The operating system is Windows 2008 Ent. Currently the CRL is published on issuing CA web server. Now we plan to add another CA.

    Q1. Can I migrate my existing issuing CA on Windows cluster CA without loss of existing certificates?

    If option 1 is not possible, then I assume I should add another enterprise subordinate CA. There are few questions on this:

    Q2. When I will have two issuing CAs, which one will publish the CRL?

    Q3. Currently the HTTP CDP path points to the existing issuing CA (using DNS cname entry). When there are two issuing CAs, I think we need to publish the CRL on a third server and change the cname entry in DNS to pint to that server. Please suggest if it is correct.

    Q4. If we publish the CRL on external web server, do we need to manually copy the CRL to external web  server on regular basis? In that case which CRL do we need to copy, from IssuignServer1 or from IssuingServer2?


    Manoj

    Tuesday, May 22, 2012 10:59 AM

Answers

  • 1) it doesn't matter, because you can temporarily backup/demote CA role. I can suggest only official whitepaper: http://www.microsoft.com/en-us/download/details.aspx?id=331

    2) then each server will publish it's own CRLs.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Tuesday, May 22, 2012 4:53 PM
  • The answer is simple: all you want (different S/Ns in different CRLs) is not possible.

    Remember few things:

    1) if 2 CAs use unique signing keys (unique CA certificate), there are no relationships between them.

    2) if 2 CAs share the same signing keys, they MUST be configured as nodes of the CA cluster. Also they MUST share the same database and configuration.

    3) only one node can be active in a CA cluster. Other node is always passive.

    4) each CA (in a clustered confiuration: active node) issues only one Base CRL for each signing key pair and, optionally, can issue one Delta CRL for each Base CRL.

    5) Delta CRLs contains serila numbers which were revoked only since the latest Base CRL was issued.

    All these rules are inherited/derived from RFC5280 which is internet standart for PKI.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    • Marked as answer by ManojVer Thursday, May 31, 2012 3:02 PM
    Thursday, May 31, 2012 3:00 PM

All replies

  • 1) you can cluster your existing CA server. However it requires som non-trivial researches and modifications to make your solution wokring.

    2) if both CAs are nodes of the same cluster, then only active node publishes CRLs.

    3) i think, it depends on your environment settings. I can't tell which option is better.

    4) you may need to copy it manually if CAs have no direct connection to the target server or if CAs cannot authenticate themselves on the target server.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Tuesday, May 22, 2012 1:11 PM
  • 1) Can you please suggest some document? What I found is that server must already be in cluster before you can install any clustered service.

    2) Which node will publish the CRL if the issuing servers are not in the cluster?


    Manoj

    Tuesday, May 22, 2012 4:26 PM
  • 1) it doesn't matter, because you can temporarily backup/demote CA role. I can suggest only official whitepaper: http://www.microsoft.com/en-us/download/details.aspx?id=331

    2) then each server will publish it's own CRLs.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Tuesday, May 22, 2012 4:53 PM
  • My CDP has single URL, pointing to existing CA. When two different CAs will publish the CRL, what shall I put in the CDP (server1 or server2 or an external web server) ?


    Manoj

    Tuesday, May 29, 2012 11:16 AM
  • Best practice is that you use a dns name that points to a virtual IP that is load balanced by NLB or some other Load balancing infra.

    So if 1 goes down, the other still can respond to the requests .This is the same general concept for a lot of high-available setups (cf. ISA, IIS, CAS, ..) I fou implement OCSP you can use these web servers to host the CRL ( for the client's who don't speak ocsp). You can use the same loadbalacing setup.

    Tuesday, May 29, 2012 11:54 AM
  • Will both the serves (Issuing1 and Issuing2) issue same CRL? If yes, then its okay. If not, then we will have two CRL names in the CDP both containing different entries. In that case, which CRL will the client refer to?

    Like - 

    6:http://crl.test.com/crl/CA1.crl
    6:http://crl.test.com/crl/CA2.crl

    I know that in ADCS, both issuing CA use same template database configured on Configuration partition in AD. But I think Server1 can only see the certificates issued by itself (not issued by Server2). Similarly they publish different CRLs based on their own certificate database. Please correct if I am wrong.


    Manoj

    Tuesday, May 29, 2012 1:17 PM
  • > Will both the serves (Issuing1 and Issuing2) issue same CRL?

    did you read my previous posts? If CAs re not members of the same cluster, URLs (at least file names) MUST be different.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Wednesday, May 30, 2012 5:28 AM
  • If we take the scenario-

    • CRL1 (Issued by CA1) contains serial nos. 1-10.
    • CRL2 (issued by CA2) contains serial nos. 11-20.
    • The CDP path contains two URL:
    • 6:http://crl.test.com/crl/CA1.crl
    • 6:http://crl.test.com/crl/CA2.crl

    Now there is a client which wants to check validity of  a certificate with serial number 15. As in CDP, client finds URL of CRL1 first (containing serial 1-10 for revoked certificates) the client downloads CRL1 and finds that serial number 15 is not listed there and it will assume that the certificate with serial number 15 is still. While in fact the certificate with serial number 15 has already been revoked by CA2.

    Will the client check both the CRLs or only first?


    Manoj

    Wednesday, May 30, 2012 11:08 AM
  • I think you need to get some clue about the subject: http://social.technet.microsoft.com/wiki/contents/articles/4954.certificate-status-and-revocation-checking.aspx

    > CRL1 (Issued by CA1) contains serial nos. 1-10.
    > CRL2 (issued by CA2) contains serial nos. 11-20.

    this scenario is not possible with Microsoft CA.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    • Proposed as answer by Vadims PodansMVP Wednesday, May 30, 2012 3:26 PM
    • Unproposed as answer by ManojVer Thursday, May 31, 2012 2:47 PM
    Wednesday, May 30, 2012 3:25 PM
  • Maybe I am not explaining the question in the right way but I did not find the answer in the article. Anyways, thank you for the support.

    Manoj

    Thursday, May 31, 2012 2:46 PM
  • The answer is simple: all you want (different S/Ns in different CRLs) is not possible.

    Remember few things:

    1) if 2 CAs use unique signing keys (unique CA certificate), there are no relationships between them.

    2) if 2 CAs share the same signing keys, they MUST be configured as nodes of the CA cluster. Also they MUST share the same database and configuration.

    3) only one node can be active in a CA cluster. Other node is always passive.

    4) each CA (in a clustered confiuration: active node) issues only one Base CRL for each signing key pair and, optionally, can issue one Delta CRL for each Base CRL.

    5) Delta CRLs contains serila numbers which were revoked only since the latest Base CRL was issued.

    All these rules are inherited/derived from RFC5280 which is internet standart for PKI.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    • Marked as answer by ManojVer Thursday, May 31, 2012 3:02 PM
    Thursday, May 31, 2012 3:00 PM
  • Hey ManojVer,

    In a non-cluster CA setup:

    Each Issuing CA maintains its own CRL that contains the listing of all revoked certificates that it(and only it) issued. if the Certificate has not been revoked it will not show up in CRL of the CA that issued it. This CRL can be published to any location you specify and can be included as a value on the issued certificate so the client knows were to download it from if that client doesnt already have a cached CRL locally. This location is the CDP(CRL distribution point).

    The second Issuing CA's CRL does not contain listings for any revoked certificates that the 1st Issuing CA revoked.

    Therefore your setup should be:

    CRL1 (Published by CA1) contains serial nos. 1-10 (that mean you have 10 certs revoked btw)
    •The CDP path contains URL: http://crl.test.com/crl/CA1.crl

    AND

    CRL2 (Published by CA2) contains serial nos. 11-20 (that means you also have 10 certs revoked)
    •The CDP path URL: http://crl.test.com/crl/CA2.crl

    To provide high availability for CRL checking create Crl.test.com with an IP thats really a VIP and load balance two or more Webservers behind it so each Webserver has both CA1.crl and CA2.crl files in the "crl.test.com/crl" folder. You could use the two issuing CA as they have IIS already for the web enrollment piece if you like. To make sure the files get published you can on both CAs:

    Scenerio 1

    1) Create 1 CDP path for Websever 1 ( Publish but don't include in Certificate checkbox)

    2) Create 1 CDP path for Webserver 2 ( Publish but don't include in Certificate checkbox)

    3) Create 1 CDP path for "Vip'd" name (CRL.test.com) - (Don't Publish but include in certificate checkbox)

    4) The client will only see the 3rd path , but since its load balanced between teh two Webservers and CRl is getting published there, it'll be able to get to them.

    Scenerio 2

    1) Create 1 CDP path for "Vip'd" name (CRL.test.com) - (Publish AND include in certificate checkbox)

    2)  use DFS or some other replication protocol to insure consistancy between all the Folders hosting the CRL files on each CA/Webserver

    Hope this helped!!

    Thursday, December 13, 2012 6:47 PM