|
Posted by janus.toendering on April 26, 2006, 2:46 am
Please log in for more thread options
Hi,
I have a two-tier setup at my company with the Root CA stored away in a
safe - and an issuing CA online. I have read and followed most of the
Microsoft documentation on this subject - and I realize it is quite
complex to setup.
Everything is working though - except that every week "CDP Location #1"
of the RootCA is expiring. Is there any way to delegate this job to the
online CA - or configure any other way so that I won't have to manually
fetch the CDP from the offline CA once a week?
Hope you can help.=20
Best regards,
Janus N. T=F8ndering
|
|
Posted by bagins on April 26, 2006, 5:49 am
Please log in for more thread options
Hi,
I believe that you will have to change CRL publication interval on your
offline root CA. You can do it from GUI or CMD using certutil command.
Technet article:
http://technet2.microsoft.com/WindowsServer/en/Library/6c9228ed-6a21-45e8-bb67-d66f56276c0c1033.mspx
--
************************
Best regards
Dejan
************************
Hi,
I have a two-tier setup at my company with the Root CA stored away in a
safe - and an issuing CA online. I have read and followed most of the
Microsoft documentation on this subject - and I realize it is quite
complex to setup.
Everything is working though - except that every week "CDP Location #1"
of the RootCA is expiring. Is there any way to delegate this job to the
online CA - or configure any other way so that I won't have to manually
fetch the CDP from the offline CA once a week?
Hope you can help.
Best regards,
Janus N. Tøndering
|
|
Posted by janus.toendering@gmail.com on April 26, 2006, 8:54 am
Please log in for more thread options Is this the way around it? I mean, do I really have to publish the CRL
from the RootCA manually every time interval? And how does this impact
security say I make it a year or more?
|
|
Posted by bagins on April 26, 2006, 11:39 am
Please log in for more thread options Well, yes. You will have to do it manually every time because your root CA
is offline, which is considered a very good security practice.
You can also resign old crl without the need to publish and copy from
offline root, but you will need a root CA private key. Use "cerutil -sign"
option. Having a root ca private key around is not considered a good
security practice. It should be stored somewere safe.
http://technet2.microsoft.com/WindowsServer/en/Library/a29de265-85b8-48d8-b7b9-046eabb6ce741033.mspx
IMHO it is not a security problem if you extend crl publication interval,
because your root CA can revoke only one cert - the issuing CA cert. If
issuing CA cert becomes compromised, you will have to revoke it manually
anyway and publish a new CRL. The point is - you don't need to publish root
crl often, because it rarely changes.
http://technet2.microsoft.com/WindowsServer/en/Library/eeeed187-7b72-4c85-aa8e-60156e4ed4851033.mspx
************************
Best regards
Dejan
************************
> Is this the way around it? I mean, do I really have to publish the CRL
> from the RootCA manually every time interval? And how does this impact
> security say I make it a year or more?
>
|
|
Posted by janus.toendering@gmail.com on April 30, 2006, 5:26 pm
Please log in for more thread options Thank you for your answer, bagins. That clarified a few things.
|
| Similar Threads | Posted | | Offline Root CA and CDP/AIA paths | August 29, 2005, 8:26 am |
| Publish Offline Root CRL | June 3, 2008, 12:07 pm |
| Publishing offline root in AD and AIA and capolicy.inf | July 12, 2005, 11:26 pm |
| Offline CA Root certificate invisble in AD | March 21, 2007, 3:48 pm |
| PKI - Single Offline Root for Multiple Forest | March 24, 2008, 9:02 pm |
| Migrate Enterprise root authority CA to stand-alone root CA | December 13, 2005, 7:57 am |
| Stans-alone root CA or Enterprise root CA | August 31, 2006, 6:32 pm |
| Revocation server was offline | March 26, 2006, 10:25 pm |
| smart card offline logon | July 7, 2005, 9:02 am |
| HELP: Cannot Login member server (Offline) | July 24, 2007, 3:50 pm |
|
XML Sitemap