Re: Root CA CRLs

In article <rfN%g.10948$0L1.7551@xxxxxxxxxxxxxxxxxxxx>,
newsgroups@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx says...
I'm setting up a two-tier PKI hierarchy. The root will be offline and
will sign the issuing CA certificate. What is the best-practice for the
root Certificate Revocation List and revoking the root certificate?

You would modify the locations where the root CA publlishes its CRL.
Typically, you will modify the locations to include both an LDAP path
pointing to Active Directory and another to a Web HTTP resource.

Should I immediately revoke the root certificate after creating the
issuing CA and store it in a secure location in case the passphrase is lost?

This would be a really really bad idea. In fact, you cannot revoke the
root CA certificate from the CA console. If you revoked the root
certificate, all certificates in the chain are considered revoked. When
you revoke a CA certificate, any certificates issued by that CA are also
considered revoked.

Should I create a certificate revocation list from the root or only on
the issuing CA? I certainly don't want to have to retrieve the root
authority to update the list, but will the clients handle this OK if the
root public key is in the browser but the issuing CA revokes
certificates and publishes the list? I would think so, since the chain
should be intact.

The chaining engine does not, by default, check for revocation of the
root CA certificate. Instead, it checks whether the root CA cert is in
the trusted root store. But, the issuing CA certificate that you issued
must be checked for revoation. Therefore, you do need to publish CRLs
from *all* CAs in the CA hieraarchy.

Please see the following whitepapers for more information:
Certificate Revocation and Status Checking

Best Practices

Thanks in advance.