We help IT Professionals succeed at work.

DNS entries for CA authorities with revocation lists?

Medium Priority
Last Modified: 2012-06-27
II am looking to setup my own Certificate Authority within our organization. We sell a software solution that will require an onsite VM at our customer’s network. I am planning on providing the onsite VM a client certificate as well as import the Root CA’s certificate as a trusted root certificate authority under windows.  The VM will connect back to a webserver that will host a server certificate. The Server should check to make sure that the client certificate is valid.

My question is this. I need to make sure that if I revoke the client or server certificate, that both parties check with the certificate revocation list within our CA. I will need to make the CRL exposed to the internet. Is there anything in our external DNS server that I need to put in to allow external hosts to be able to determine where pieces of my internal CA authority are? I’m not sure how DNS works within the revocation list. From what I can tell is that when you issue the certificate, the locations of where the revocation list are posted are contained within the certificate info? Is this true?
Watch Question

ShmoidSenior Engineer

Yes, you configure your CA with the locations that the CRL can be obtained and those locations will be present in every certificate you CA issues. Typically, at a minimum, you will have an LDAP location (stored in active directory) for internal clients and an HTTP location for external clients. In your case that HTTP location should be on a webserver that is accessible from outside your network. It doesn't have to be a special server just for the CRL. It could be on any public facing website you have now.

Your CA will automatically publish the CRL to Active Directory on the schedule you specify on the CA. But you will need to make sure it gets copied to the HTTP location either manually or via script or other automation.  Also, if you are planning to setup a tiered PKI you will need to publish both the offline Root CA's CRL as well as the issuing CA's CRL. Obviously the offline CRL can have a longer validity period and must be published manually.


Ok I see that the certificates have the CRL lists in them. I just wasn't sure if there were specifc types of DNS records (other than an A record) that would be required to be published in DNS for the CAs and thee web servers basic functionality.
Senior Engineer
No, you should not need to add any DNS records. Definetly not for your CA. And as long as the website domain where you decide to place the CRL is accessable from outside no DNS changes need to be made.


Thank you very much for the help.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.