One of the Key issue is the CRL generated from the Root CA, you need to set the CRL interval for a large value so that we don’t need to copy the CRL to an online location frequently and do not implement delta CRLs, because the publication of each delta CRL would require access to the offline root CA in order to copy the delta CRL to an online publication location. In order to change the CRL interval you need to:
- Turn on the Offline Root CA and login with Admin account
- Open the Certification Authority Console
- Right Click on the "Revoked Certificates" and click Properties.
- Set “CRL Publish interval” to a large value (Default is 26 Weeks) and uncheck “Publish Delta CRL” check-box.
In order to Publish a new CRL from the offline Root CA to the Enterprise Sub CA you need to do the following:
- Publish a new CRL on the Root CA, this can be done by Right Click the "Revoked Certificates" - All Tasks - Publish
- Copy the CRL file from the Root CA located under %systemroot%\system32\certsrv\certenroll to the Sub CA Server
- Turn off the Root CA
- Copy the above file to the InetPub folder (HTTP Path) in the Sub CA server which is by default located under the C:\inetpub\wwwroot\Certdata
- Open an Admin Command Prompt and run the following command to publish it to the Active Directory (LDAP Path). certutil -f -dspublish " C:\Inetpub\wwwroot\certdata\RootCA.crl
This process of renewing the CRL and publishing a new one is manually done since the Root CA is offline and thats why its better to make the CRL publish interval more than the default value so you won't do it frequently. You may also want to set an automated reminder before the next renewal date.
0 comments:
Post a Comment