Link to home
Start Free TrialLog in
Avatar of jbla9028
jbla9028Flag for United States of America

asked on

DNS entries for CA authorities with revocation lists?

II am looking to setup my own Certificate Authority within our organization. We sell a software solution that will require an onsite VM at our customer’s network. I am planning on providing the onsite VM a client certificate as well as import the Root CA’s certificate as a trusted root certificate authority under windows.  The VM will connect back to a webserver that will host a server certificate. The Server should check to make sure that the client certificate is valid.

My question is this. I need to make sure that if I revoke the client or server certificate, that both parties check with the certificate revocation list within our CA. I will need to make the CRL exposed to the internet. Is there anything in our external DNS server that I need to put in to allow external hosts to be able to determine where pieces of my internal CA authority are? I’m not sure how DNS works within the revocation list. From what I can tell is that when you issue the certificate, the locations of where the revocation list are posted are contained within the certificate info? Is this true?
Avatar of Shmoid
Shmoid
Flag of United States of America image

Yes, you configure your CA with the locations that the CRL can be obtained and those locations will be present in every certificate you CA issues. Typically, at a minimum, you will have an LDAP location (stored in active directory) for internal clients and an HTTP location for external clients. In your case that HTTP location should be on a webserver that is accessible from outside your network. It doesn't have to be a special server just for the CRL. It could be on any public facing website you have now.

Your CA will automatically publish the CRL to Active Directory on the schedule you specify on the CA. But you will need to make sure it gets copied to the HTTP location either manually or via script or other automation.  Also, if you are planning to setup a tiered PKI you will need to publish both the offline Root CA's CRL as well as the issuing CA's CRL. Obviously the offline CRL can have a longer validity period and must be published manually.
Avatar of jbla9028

ASKER

Ok I see that the certificates have the CRL lists in them. I just wasn't sure if there were specifc types of DNS records (other than an A record) that would be required to be published in DNS for the CAs and thee web servers basic functionality.
ASKER CERTIFIED SOLUTION
Avatar of Shmoid
Shmoid
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you very much for the help.