Re: Root CA CRLs

In article <rfN%g.10948$0L1.7551@xxxxxxxxxxxxxxxxxxxx>,
newsgroups@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx says...
I'm setting up a two-tier PKI hierarchy. The root will be offline and
will sign the issuing CA certificate. What is the best-practice for the
root Certificate Revocation List and revoking the root certificate?

You would modify the locations where the root CA publlishes its CRL.
Typically, you will modify the locations to include both an LDAP path
pointing to Active Directory and another to a Web HTTP resource.

Should I immediately revoke the root certificate after creating the
issuing CA and store it in a secure location in case the passphrase is lost?

This would be a really really bad idea. In fact, you cannot revoke the
root CA certificate from the CA console. If you revoked the root
certificate, all certificates in the chain are considered revoked. When
you revoke a CA certificate, any certificates issued by that CA are also
considered revoked.

Should I create a certificate revocation list from the root or only on
the issuing CA? I certainly don't want to have to retrieve the root
authority to update the list, but will the clients handle this OK if the
root public key is in the browser but the issuing CA revokes
certificates and publishes the list? I would think so, since the chain
should be intact.

The chaining engine does not, by default, check for revocation of the
root CA certificate. Instead, it checks whether the root CA cert is in
the trusted root store. But, the issuing CA certificate that you issued
must be checked for revoation. Therefore, you do need to publish CRLs
from *all* CAs in the CA hieraarchy.

Please see the following whitepapers for more information:
Certificate Revocation and Status Checking

Best Practices

Thanks in advance.

Relevant Pages

  • Re: Certificates and CRLs
    ... Root CA certificate is installed. ... along with the Issuing CA certificate (Intermediate CA ... download the Issuing CA certificate along with its CRL ...
  • Re: Signtool doesnt add entire chain when signing files
    ... you only need to ensure that the intermediate certificates are included in the signature so that the client can build a chain to the root. ... The root needs to be installed as a trusted root certificate on the client in order for the client to trust the certificate. ... Given that you don't have any intermediate certificates, it doesn't matter or not whether they are included in the signature so it should not matter if there is any difference between the wizard mode and the command line tool mode. ...
  • Error
    ... I have your WS 2008 PKI and Certificate Security book. ... These surfaced when trying to publish my root ... CertUtil: A referral was returned from the server. ...
  • Certutil error
    ... After I ran cmd as an administrator it published the CRL and CRT file in the AD without error. ... I have your WS 2008 PKI and Certificate Security book. ... These surfaced when trying to publish my root ... CertUtil: A referral was returned from the server. ...
  • Re: Schannel CertificateChainValidation failing
    ... I am not fully up to speed with certs (root, end entity, ... valid Windows trusted root cert. ... You've enabled certificate revocation checking, and the validation code ...