We are doing some internal testing using a web application hosted in IIS and using SSL security (On Windows 2003 Server). We currently have a test web site that is using an internally created certificate (created from our internal CA structure) to SSL (https) the web page.
First a look at our internal CA structure. The Root CA is in our Root Domain (ourname.net) of our domain structure. 2 Subordinate CA’s are in the Sub-Domain (office.ourname.net) of our domain structure.
The web server and clients exists in office.ourname.net domain – shown below.
We did some network traffic monitoring while testing client access to the secured website. When the client’s browser setting for “check for server certificate revocation” is turned on. – we were surprised to see traffic from our clients not only to the Subordinate CA (we expected this), but also to the Root CA. We are assuming this was to check for a recent CRL (certificate revocation list) to make sure the given certificate has not since been revoked from its original creation.
Given that we plan to take our Root CA offline in the near future – this is concerning.
1. Why would this be happening if the subordinate was the CA that issued the cert to the web server?
2. Was there an error in the way we created this certificate for the website?
3. Is there an error in the way we are handling CRL’s in relation to our Root CA?
4. How can we offline our Root CA if it is actively publishing CRL’s - and apparently from this test - our clients will be looking from them.
(I know its 4 questions here - will split points if need be)