Click here to get back home

Offline Root CA and CDP/AIA paths
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Offline Root CA and CDP/AIA paths Harkin 08-29-2005
Posted by Harkin on August 29, 2005, 8:26 am
Please log in for more thread options
 So I have my offline root CA finally setup and used the CAPolicy.inf file to
make sure that the extensions were not included in the cert. My
understanding is that I should remove the http and ldap lines from the
extensions in the manager and just leave the local path only. A few of the
resources that I have checked (white papers, books,etc) say that I should go
in and modify these paths to point to something that is reachable for the
clients when they get a cert from my ent sub CA. Which one is it?




Posted by Brian Komar on August 31, 2005, 9:21 am
Please log in for more thread options
 nospam@dont.send.any.spam.here.gmail.com says...
> So I have my offline root CA finally setup and used the CAPolicy.inf file to
> make sure that the extensions were not included in the cert. My
> understanding is that I should remove the http and ldap lines from the
> extensions in the manager and just leave the local path only. A few of the
> resources that I have checked (white papers, books,etc) say that I should go
> in and modify these paths to point to something that is reachable for the
> clients when they get a cert from my ent sub CA. Which one is it?
>
>
>
You are talking about two different settings. Let me try and explain.
1) It is recommended to not have any CDP or AIA extensions in the actual
root CA certificate. This is accomplished, as you mention, by
configuring the CAPolicy.inf file. This file handles the extensions
included in *the* root CA certificate.

2) It is required to have CDP and AIA extensions in any certificates
issued *by* the root CA. This is accomplished on the Extensions tab.
When you modify these paths (using certutil -setreg), you are modifying
the CDP and AIA extensions in *subordinate CA certificates*

HTH,
Brian


Posted by Harkin on September 7, 2005, 1:51 pm
Please log in for more thread options
> nospam@dont.send.any.spam.here.gmail.com says...
>> So I have my offline root CA finally setup and used the CAPolicy.inf file
>> to
>> make sure that the extensions were not included in the cert. My
>> understanding is that I should remove the http and ldap lines from the
>> extensions in the manager and just leave the local path only. A few of
>> the
>> resources that I have checked (white papers, books,etc) say that I should
>> go
>> in and modify these paths to point to something that is reachable for the
>> clients when they get a cert from my ent sub CA. Which one is it?
>>
>>
>>
> You are talking about two different settings. Let me try and explain.
> 1) It is recommended to not have any CDP or AIA extensions in the actual
> root CA certificate. This is accomplished, as you mention, by
> configuring the CAPolicy.inf file. This file handles the extensions
> included in *the* root CA certificate.
>
> 2) It is required to have CDP and AIA extensions in any certificates
> issued *by* the root CA. This is accomplished on the Extensions tab.
> When you modify these paths (using certutil -setreg), you are modifying
> the CDP and AIA extensions in *subordinate CA certificates*
>
> HTH,
> Brian

I have everything mostly setup with the exception of one item. For the CDP
extensions on the issued certs (for the Ent sub) from the Root CA, do I want
to keep the server name ( <ServerShortName> ) in there or should it be taken
out?




Posted by Brian Komar [MVP] on September 8, 2005, 12:52 am
Please log in for more thread options
nospam@dont.send.any.spam.here.gmail.com says...
> > nospam@dont.send.any.spam.here.gmail.com says...
> >> So I have my offline root CA finally setup and used the CAPolicy.inf file
> >> to
> >> make sure that the extensions were not included in the cert. My
> >> understanding is that I should remove the http and ldap lines from the
> >> extensions in the manager and just leave the local path only. A few of
> >> the
> >> resources that I have checked (white papers, books,etc) say that I should
> >> go
> >> in and modify these paths to point to something that is reachable for the
> >> clients when they get a cert from my ent sub CA. Which one is it?
> >>
> >>
> >>
> > You are talking about two different settings. Let me try and explain.
> > 1) It is recommended to not have any CDP or AIA extensions in the actual
> > root CA certificate. This is accomplished, as you mention, by
> > configuring the CAPolicy.inf file. This file handles the extensions
> > included in *the* root CA certificate.
> >
> > 2) It is required to have CDP and AIA extensions in any certificates
> > issued *by* the root CA. This is accomplished on the Extensions tab.
> > When you modify these paths (using certutil -setreg), you are modifying
> > the CDP and AIA extensions in *subordinate CA certificates*
> >
> > HTH,
> > Brian
>
> I have everything mostly setup with the exception of one item. For the CDP
> extensions on the issued certs (for the Ent sub) from the Root CA, do I want
> to keep the server name ( <ServerShortName> ) in there or should it be taken
> out?
>
>
>
I always recommend keeping the default names for all certificate (AIA)
and CRL (CDP) paths. The default paths include unique naming, and also
include versioning for down the road when the certificates expire and
are renewed either with the same key pair or with a different key pair.

The defaults for certificates are %1_%3%4.crt
The defaults for CRLs are %3%8%9.crl

Brian


Posted by Harkin on September 8, 2005, 8:40 am
Please log in for more thread options
> nospam@dont.send.any.spam.here.gmail.com says...
>> > nospam@dont.send.any.spam.here.gmail.com says...
>> >> So I have my offline root CA finally setup and used the CAPolicy.inf
>> >> file
>> >> to
>> >> make sure that the extensions were not included in the cert. My
>> >> understanding is that I should remove the http and ldap lines from the
>> >> extensions in the manager and just leave the local path only. A few of
>> >> the
>> >> resources that I have checked (white papers, books,etc) say that I
>> >> should
>> >> go
>> >> in and modify these paths to point to something that is reachable for
>> >> the
>> >> clients when they get a cert from my ent sub CA. Which one is it?
>> >>
>> >>
>> >>
>> > You are talking about two different settings. Let me try and explain.
>> > 1) It is recommended to not have any CDP or AIA extensions in the
>> > actual
>> > root CA certificate. This is accomplished, as you mention, by
>> > configuring the CAPolicy.inf file. This file handles the extensions
>> > included in *the* root CA certificate.
>> >
>> > 2) It is required to have CDP and AIA extensions in any certificates
>> > issued *by* the root CA. This is accomplished on the Extensions tab.
>> > When you modify these paths (using certutil -setreg), you are modifying
>> > the CDP and AIA extensions in *subordinate CA certificates*
>> >
>> > HTH,
>> > Brian
>>
>> I have everything mostly setup with the exception of one item. For the
>> CDP
>> extensions on the issued certs (for the Ent sub) from the Root CA, do I
>> want
>> to keep the server name ( <ServerShortName> ) in there or should it be
>> taken
>> out?
>>
>>
>>
> I always recommend keeping the default names for all certificate (AIA)
> and CRL (CDP) paths. The default paths include unique naming, and also
> include versioning for down the road when the certificates expire and
> are renewed either with the same key pair or with a different key pair.
>
> The defaults for certificates are %1_%3%4.crt
> The defaults for CRLs are %3%8%9.crl
>
> Brian

What I meant was in the actual LDAP string for the CDP config on the RootCA.
The string looks like this:

Ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public
Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>

Since this machine is not part of the directory, do I leave the machine name
out or do I leave it in and then publish it using the certutil -dspublish
command? Little unclear on this one. Thanks.




Similar ThreadsPosted
Offline Root CA October 6, 2008, 2:56 pm
Offline Root CA CDP Expiring April 26, 2006, 2:46 am
Publish Offline Root CRL June 3, 2008, 12:07 pm
Publishing offline root in AD and AIA and capolicy.inf July 12, 2005, 11:26 pm
Offline CA Root certificate invisble in AD March 21, 2007, 3:48 pm
PKI - Single Offline Root for Multiple Forest March 24, 2008, 9:02 pm
Prevent browsing with UNC paths for Terminal Services users April 5, 2006, 2:05 pm
Migrate Enterprise root authority CA to stand-alone root CA December 13, 2005, 7:57 am
Stans-alone root CA or Enterprise root CA August 31, 2006, 6:32 pm
Revocation server was offline March 26, 2006, 10:25 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap