Re: Offline Root CA
From: Shane (shanetoevs_at_hotmail.com)
Date: 06/12/03
- Next message: Invisible: "File access auditing"
- Previous message: G: "Re: Security management"
- In reply to: krish shenoy[MS]: "Re: Offline Root CA"
- Next in thread: krish shenoy[MS]: "Re: Offline Root CA"
- Reply: krish shenoy[MS]: "Re: Offline Root CA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 12 Jun 2003 08:34:17 -0400
Thanks for the reply.
What if we change the CDP URL to the subordinate CA, place the initial CRL
at that location and then disable the publiscation of the CRL by viewing the
properties fo the Revoked Certificates folder on the Root CA and selecting:
Disable Publication Schedule
Would that work?
Thanks again.
Shane
"krish shenoy[MS]" <kshenoy@online.microsoft.com> wrote in message
news:uPK6EbFMDHA.3976@tk2msftngp13.phx.gbl...
> Most applications that check revocation set the flag
> CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT so that the revocation is
not
> checked on root cert. You can change the CRL interval to be of a long
> duration such as 3 months and change the CDP url to an online location
such
> as the subordinate CA machine and manually place the CRL at that location
> once every 3 months
>
> --
> This posting is provided "AS IS" with no warranties and confers no rights.
> Use of any included samples is subject to the terms specified at
> http://www.microsoft.com/info/copyright.htm"
> "Shane" <shanetoevs@hotmail.com> wrote in message
> news:eUH7#EEMDHA.1608@TK2MSFTNGP11.phx.gbl...
> > Hello,
> >
> > We are designing our PKI infrastructure, primarily for use with EFS.
> >
> > We plan to use 2 Certificate Authorities. Our Root will be a StandAlone
> CA.
> > We plan to install it on a W2K Member server while it is connected to
our
> > network. We will then install a Subordinate Enterprise CA. After the
> Root
> > CA has issued the CA certificate for the subordinate CA, we plan to take
> the
> > Root CA offline to protect it. Thereafter, the subordinate CA will
> process
> > all certificate requests.
> >
> > My question has to do with the publication of the CRL for the Root CA.
> > Since it will only be used to issue 1 certificate (for the subordinate
> CA),
> > we do not forsee the need to automatically publish the CRL.
Additionally,
> > because it will be offline, publishing the CRL would be an
administrative
> > burden because we would have to manually copy it from the server to a
> shared
> > folder on our network. Therefore, we are thinking of disabling the
> > publication schedule of the CRL on the Root CA.
> >
> > Does anyone forsee any problems with this plan?
> >
> > Also, if we disable the publication schedule of the CRL for the Root CA,
> can
> > we just leave the CRL distribution points at their defualt setting?
> >
> > Most articles that I have seen from Microsoft on the subject of offline
> Root
> > Certificate Authorities never the discuss the possibility of installing
> the
> > Root CA online, configuring everything and then taking the Root CA
offline
> > as the last step. We feel this is the best way to approach the
deployment
> > of PKI.
> >
> > Can anyone forsee any problems doing things this way?
> >
> > Thanks very much for any help you can provide. It is very much
> appreciated.
> >
> > Shane
> >
> >
>
>
- Next message: Invisible: "File access auditing"
- Previous message: G: "Re: Security management"
- In reply to: krish shenoy[MS]: "Re: Offline Root CA"
- Next in thread: krish shenoy[MS]: "Re: Offline Root CA"
- Reply: krish shenoy[MS]: "Re: Offline Root CA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
