CraigShag
asked on
Subordinate Certificate authority, CRL Downloading how is it done?
For the company i work for i have set up a offline root CA and a Subordinate CA
i know i need to put the offline CA back on line when the CRL is due to be downloaded my questions are,
when will the CRL be downloaded?
if it fails at first who frequently will the subordinate CA attempt to dowload the CRL?
can i force the subordinate CA to download the CRL?
if someone was daft enough to forgot to put the offline root CA on-line what would be the best aproch to get the subordinate CA to download the CRL, and will the subordinate CA fail to function if this happens?
all the CA settings (off line root and subordinate CA) setting are currently set to default, i havent played with them YET!
thanks in advance ;)
i know i need to put the offline CA back on line when the CRL is due to be downloaded my questions are,
when will the CRL be downloaded?
if it fails at first who frequently will the subordinate CA attempt to dowload the CRL?
can i force the subordinate CA to download the CRL?
if someone was daft enough to forgot to put the offline root CA on-line what would be the best aproch to get the subordinate CA to download the CRL, and will the subordinate CA fail to function if this happens?
all the CA settings (off line root and subordinate CA) setting are currently set to default, i havent played with them YET!
thanks in advance ;)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
hi,
1. rootCA (offline one) shouldn't even have network card (MSoft recommendation). Make it VM, burn on DVD, hide well.
2. Once configuring your rootCA you can make CRL (certificate revocation list) to be valid for e.g. 180days
certutil -setreg ca\CRLPeriodUnits 180
certutil -setreg ca\CRLPeriod "Days"
That way you only need your offline rootCA be switched on 2x/year
unless you plan your sub_ca being compromised more often then that (can always publish BetaCRL if that happens).
3. publish your offline_RootCA CRL and AIA on well accessible place (Intranet web server +Active Directory) -you will need to do that every 6m-ths
4. your on-line issuing Sub-CA (ad integrated) will have have no problems in being authorised that way.
5. good luck
1. rootCA (offline one) shouldn't even have network card (MSoft recommendation). Make it VM, burn on DVD, hide well.
2. Once configuring your rootCA you can make CRL (certificate revocation list) to be valid for e.g. 180days
certutil -setreg ca\CRLPeriodUnits 180
certutil -setreg ca\CRLPeriod "Days"
That way you only need your offline rootCA be switched on 2x/year
unless you plan your sub_ca being compromised more often then that (can always publish BetaCRL if that happens).
3. publish your offline_RootCA CRL and AIA on well accessible place (Intranet web server +Active Directory) -you will need to do that every 6m-ths
4. your on-line issuing Sub-CA (ad integrated) will have have no problems in being authorised that way.
5. good luck
ASKER
I will use USB drives like you said, i am going to set this up on VMWare, with a bit of luck ill get time to try your recomendations today.
thanks for the advice its realy apreciated, its helped alot !!!