Re: Offline Root CA
From: krish shenoy[MS] (kshenoy_at_online.microsoft.com)
Date: 06/11/03
- Next message: krish shenoy[MS]: "Re: Microsoft CA not installing trusted root path in local computer store"
- Previous message: Alaa Abdelhalim [MSFT]: "Re: Account Lockout"
- In reply to: Shane: "Offline Root CA"
- Next in thread: Shane: "Re: Offline Root CA"
- Reply: Shane: "Re: Offline Root CA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 11 Jun 2003 13:19:30 -0700
Most applications that check revocation set the flag
CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT so that the revocation is not
checked on root cert. You can change the CRL interval to be of a long
duration such as 3 months and change the CDP url to an online location such
as the subordinate CA machine and manually place the CRL at that location
once every 3 months
-- This posting is provided "AS IS" with no warranties and confers no rights. Use of any included samples is subject to the terms specified at http://www.microsoft.com/info/copyright.htm" "Shane" <shanetoevs@hotmail.com> wrote in message news:eUH7#EEMDHA.1608@TK2MSFTNGP11.phx.gbl... > Hello, > > We are designing our PKI infrastructure, primarily for use with EFS. > > We plan to use 2 Certificate Authorities. Our Root will be a StandAlone CA. > We plan to install it on a W2K Member server while it is connected to our > network. We will then install a Subordinate Enterprise CA. After the Root > CA has issued the CA certificate for the subordinate CA, we plan to take the > Root CA offline to protect it. Thereafter, the subordinate CA will process > all certificate requests. > > My question has to do with the publication of the CRL for the Root CA. > Since it will only be used to issue 1 certificate (for the subordinate CA), > we do not forsee the need to automatically publish the CRL. Additionally, > because it will be offline, publishing the CRL would be an administrative > burden because we would have to manually copy it from the server to a shared > folder on our network. Therefore, we are thinking of disabling the > publication schedule of the CRL on the Root CA. > > Does anyone forsee any problems with this plan? > > Also, if we disable the publication schedule of the CRL for the Root CA, can > we just leave the CRL distribution points at their defualt setting? > > Most articles that I have seen from Microsoft on the subject of offline Root > Certificate Authorities never the discuss the possibility of installing the > Root CA online, configuring everything and then taking the Root CA offline > as the last step. We feel this is the best way to approach the deployment > of PKI. > > Can anyone forsee any problems doing things this way? > > Thanks very much for any help you can provide. It is very much appreciated. > > Shane > >
- Next message: krish shenoy[MS]: "Re: Microsoft CA not installing trusted root path in local computer store"
- Previous message: Alaa Abdelhalim [MSFT]: "Re: Account Lockout"
- In reply to: Shane: "Offline Root CA"
- Next in thread: Shane: "Re: Offline Root CA"
- Reply: Shane: "Re: Offline Root CA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
