II am looking to setup my own Certificate Authority within our organization. We sell a software solution that will require an onsite VM at our customer’s network. I am planning on providing the onsite VM a client certificate as well as import the Root CA’s certificate as a trusted root certificate authority under windows. The VM will connect back to a webserver that will host a server certificate. The Server should check to make sure that the client certificate is valid.
My question is this. I need to make sure that if I revoke the client or server certificate, that both parties check with the certificate revocation list within our CA. I will need to make the CRL exposed to the internet. Is there anything in our external DNS server that I need to put in to allow external hosts to be able to determine where pieces of my internal CA authority are? I’m not sure how DNS works within the revocation list. From what I can tell is that when you issue the certificate, the locations of where the revocation list are posted are contained within the certificate info? Is this true?