Announcement

Collapse
No announcement yet.

Configuring Offline Root CA on Windows 2008 R2 server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Configuring Offline Root CA on Windows 2008 R2 server

    Hi,

    I have a question regarding publishing CRL of Offline Root CA.

    Friend of mine said to me that Automatic publishing of CRLs (for exmple every 180 days) should be disabled (how to do that?).

    He showed me a few Verisign certificates that do not have CDP defined.
    I think that CRL from Offline Root CA SHOULD (MUST) be published to confirm validity of all certificates that were issued (signed) by Offline Root CA.

    My Offline Root Ca is configured CRL publication interval of 180 days. Offline Root CA is not connected to the network and turned of all the time.

    When I'm publishing CRL from Offline Root CA, I'm manually copying it to CDP, which is online location on network (IIS). In a event of revocation of some subordinate CAs, I would manually force publish of CRL.

    Should I or should I not configure autopublish interval of CRL on Oflline Root CA? Is there a way to disable it?
    Last edited by kojo1984; 18th June 2011, 07:37.

  • #2
    Re: Configuring Offline Root CA on Windows 2008 R2 server

    The root CA is the most secure and protected CA in the chain. This is why it is highly recommended to be kept offline.
    The root CA provides certificates to higher level CAs witch are usually on line.
    Usually you revoke CA from your higher level CAs only when they are compromised. Hopefully this doesn't happening too frequently on your site.


    So, from my point of view the 180day interval is OK. As far as I know, you can disable delta CRL publication interval but you can't do it for CRL.

    Br,
    Csaba
    Regards,
    Csaba Papp
    MCSA+messaging, MCSE, CCNA
    ...............................
    Remember to give credit where credit is due and leave reputation points where appropriate
    .................................

    Comment


    • #3
      Re: Configuring Offline Root CA on Windows 2008 R2 server

      Tnx for reply...

      So, my conf is OK... I will turn on Offline Root CA 180 days after last issue of CRL hapend and copy it to the online CDP location.

      Is that OK procedure for publishing Offline Root CA's CRL?

      Comment


      • #4
        Re: Configuring Offline Root CA on Windows 2008 R2 server

        Yes, that sounds good. I apply the same procedure in my environment.
        Regards,
        Csaba Papp
        MCSA+messaging, MCSE, CCNA
        ...............................
        Remember to give credit where credit is due and leave reputation points where appropriate
        .................................

        Comment


        • #5
          Re: Configuring Offline Root CA on Windows 2008 R2 server

          TNX... you solved my dilemma.

          Comment

          Working...
          X