Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 229
  • Last Modified:

2008 R2 Certificate Services

I have a two tiered CA structure on my domain.  I have an offline Enterprise CA and a Subordinate CA ... Everything works fine, however, I have numerous revocation failures on my subca because my Enterprise CA is offline.  I'd like to get rid of these failures.  Can I just add the CRL from the enterprise CA to my subordinate and make it a distribution point so these failures will start to disappear ?  The only CRL Distribution Points I see are pointing to my Enterprise CA which will remain offline unless needed.
0
jrobison
Asked:
jrobison
  • 3
  • 2
1 Solution
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
You can move the Enterprise CA CRL anywhere.  (I.e. you can move it to a web server, or publish it to AD, and pick it up via LDAP.)  What you'll need to do is extend the period CRL published lifetime to longer than the periods between which you turn on your root CA to refresh the CRL.

One of the challenges I saw with an offline Enterprise CA was that I wanted the server to be offline for longer than the machine certificate would remain viable.  I'm now considering an offline stand alone root, with an Enterprise Subordinate.
0
 
jrobisonAuthor Commented:
Couple of questions ?

1.) How do you extend the CRL on an offline Enterprise CA ?
2.) Will I need to copy the *.crl files from my offline Enterprise CA to my Subordinate CA ?
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
1. Within the Certificate Authority MMC (certsrv), while pointed at the CA, right click "Revoked Certificates", and select properties.  It'll give you the CRL Publishing Parameters.

2. Within the same MMC, while pointed at the CA, right click the CA itself and select properties.  Go to the 'extensions' tab.  From there, you can tell the CA where CRL lists will be available and you can tell CA which ones you want it to publish CRL to.  (And, those that you don't have it take care of you... yes, you'll want to copy the crl files over.)
(What I don't know off hand, is whether you need to publish a new CA cert for changes to CRL locations to be reflected/used... if so, you'd likely need subordinate certs reissued off the new CA cert as well.  :-(  )
0
 
jrobisonAuthor Commented:
Please delete this question as I have received no response which provided any assistance to my situation.  Thank you
0
 
jrobisonAuthor Commented:
No feedback was received that helped resolve my issue. I have since abandoned the problem.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now