Solved

web server certificate contacting root CA

Posted on 2011-03-03
2
532 Views
Last Modified: 2012-05-11
We are doing some internal testing using a web application hosted in IIS and using SSL security (On Windows 2003 Server).  We currently have a test web site that is using an internally created certificate (created from our internal CA structure) to SSL (https) the web page.  

First a look at our internal CA structure.  The Root CA is in our Root Domain (ourname.net) of our domain structure.  2 Subordinate CA’s are in the Sub-Domain (office.ourname.net) of our domain structure.

The web server and clients exists in office.ourname.net domain – shown below.

We did some network traffic monitoring while testing client access to the secured website.  When the client’s browser setting for “check for server certificate revocation” is turned on. – we were surprised to see traffic from our clients not only to the Subordinate CA (we expected this), but also to the Root CA.  We are assuming this was to check for a recent CRL (certificate revocation list) to make sure the given certificate has not since been revoked from its original creation.

domain
Given that we plan to take our Root CA offline in the near future – this is concerning.  

websrv
1.      Why would this be happening if the subordinate was the CA that issued the cert to the web server?  
2.      Was there an error in the way we created this certificate for the website?  
3.      Is there an error in the way we are handling CRL’s in relation to our Root CA?
4.      How can we offline our Root CA if it is actively publishing CRL’s - and apparently from this test - our clients will be looking from them.

(I know its 4 questions here - will split points if need be)
0
Comment
Question by:FLPeople
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 62

Assisted Solution

by:gheist
gheist earned 100 total points
ID: 35034721
If you take your CRL offline make sure web server is taken off and refuses http connections, so that users feel less timeout.
0
 
LVL 15

Accepted Solution

by:
pcsmitpra earned 400 total points
ID: 35035890
1.      Why would this be happening if the subordinate was the CA that issued the cert to the web server?  
>>>> Have you placed the ROOT certificate in the place on webserver using certificate wizard ,becoz browser was trying to get root certificate.
2.      Was there an error in the way we created this certificate for the website?  
>>>> Does not seems though Not sure.
3.      Is there an error in the way we are handling CRL’s in relation to our Root CA?
>>>> Please check if CRL on your webserver is updated and not bad. You can find it in certificate wizard.
4.      How can we offline our Root CA if it is actively publishing CRL’s - and apparently from this test - our clients will be looking from them.
>>>> If Client gets the GOOD CRL , Root Cert and intermediate cert from Webserver itself it wont try to reach Root server, considering the FQDN is fine and SSL is placed to right domain with correct hostname. Probably you would like to import a latest CRL file from root server to web server.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question