Microsoft AD Certificate Services CRL quirk?


We have a newly deployed Active Directory Certificate Services infrastructure setup, and are trying to work out some kinks. Our setup consists of two severs (Windows 2008 R2 Datacenter) running in a 2003 forest / domain. The Root CA is standalone / offline, and the Issuing CA is online (domain member / integrated) to issue certificates and serve revocation lists.

We had an issue last week where we noticed certificate requests failing due to the Root CA revocation list not being valid (aka - expired). We resolved this by flipping over to the Root CA, and executing "CERTUTIL -CSR 455:00", publishing a CRL file, and then copying that CRL onto the Issuing CA server's CDP (an http URL on the Issuing CA server).

Well, I just looked at the Root CA's CRL file on the Issuing CA server, and the CRL's "Next Update" property was for this morning. I thought to myself... 'did we actually not copy that CRL over?'... So I copied the CRL over from the Root CA once more (verifying beforehand that its "Next Update" property was for some time in August of 2015).

Once I placed this file in the CDP (again - on our Issuing CA server), and looked at its properties, the "Next Update" property immediately changed to this Sunday - July 13, 2014.

It seems as though the CRL validity period imposed by the Issuing CA server trumps what the Root CA put in the CRL file; so while we *want* the Issuing CA to have a more rapid CRL update cycle, that cycle is what is imposed on the Root CA CRL - which we *don't* want.

Now... not sure exactly how to resolve this - without tearing everything down and re-creating Root certificates / Issuing CA certificates, and using a separate CDP for the Root CA's CRL / CDP (maybe on a small *nix box or something)...? Do-able, but hopefully there is an easier path?

Thanks in advance!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ideally you should publish CRL and AIA for offline root ca prior to install subordinate CA, on some web server which will be online for all the time (It can be sub ca server) OR in active directory with long enough validity and then you could issue new sub CA cert.
This will ensure that all issued certs including subordinate CA by root ca will have above CRL points
You have to bring the root CA online to:
Publish an updated root CA crl.
To issue or renew a subordinate CA certificate
To revoke a subordinate CA certificate.

Check below articles

Jakob DigranesSenior ConsultantCommented:
is the servers licensed and activated?
Just went through an installation with 2012 sever where the CRL for the issuing CA was only one week even though we set it in CMD and verified that it had been set to 104 weeks.
after license was added and server activated - we republished CRL for issuing ca (from root CA) and all was good.
rememeber that the ROOT Cert should NOT have any CRL or AIA information, but the issuing CA should have. The CRL and AIA from the ROOT CA is for verifiying that the issuing CA is still valid - thus only needing update rarely. To publish new CRL from offline root .- this needs to be put online and publish CRL - copy it to the issuing CA and publish via CMD

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.