General Questions PKI

Copper Contributor
  • What if the CRL website is down? Are all the certificates that the clients are trying to validate failing?
  • why is internet explorer the best browser for a certificate request?
  • why is ldap not recommended for crl beside it's limitation to domain joined devices?
  • in a 3 tier PKI - are the policy CA domains connected?
  • isn't the registration authority just the issuing ca?

 

 

1 Reply

@Due_Zeh 

 

  • What if the CRL website is down? Are all the certificates that the clients are trying to validate failing?
    • Chrome and Firefox do not use CRL list because of the large file size that will impose significate latency and bandwidth overhead. Chrome use CRLset and Firefox use OneCRL for revocation check. Mobile web browser also treat certificate validation differently.
    • CDP (CRL Distribution Point) is the location of the CRL, it can be HTTP, LDAP or File.
    • When CDP is unreachable, revocation check is will fail, web browser default the certificate as valid. When a revoked certificate is valid, this is bad for security.
    • CRL list contains revoked or suspended certificate can be very large in size, Full CRLs can be few Megabytes in size. Partitioned CRLs allows you to verify portion of the list.
    • EV certificate are design to provide greater assurance to clients that certificates were issued properly, browser have different mechanism on EV (extended validation) certificate.
    • CRL is slowly replaced by newer OCSP protocol to ensure certificate trustworthy, some CA does no support CRL on newly issued certificate.
  • Why is internet explorer the best browser for a certificate request?
    • A CSR request can be created in MMC, IIS, ADCS Web Enrollment web page, or OpenSSL.
    • Using Create Domain Certificate in IIS can only use ADCS built in template, this is version 1 template and does not support SAN. SAN (Subject Alternative Name) is required by all modern browser, it is a list of FQDNs that the specific certificate is valid for. The issuing authority decides whether it'll actually issue a certificate for that particular name to a requestor
    • MMC and OpenSSL can create customized CSR request to include additional field or extension that the tool are capable to create. You can submit the request to Windows ADCS via certreq.exe or Public CA by PKCS#12 (or PFX) export.
    • Internet Explorer can visit ADCS Web enrollment website, and create the request via a web UI, you can click Install Certificate to install into certificate store. The same happens to other browser, in terms of functionality, all browser can create a certificate request. Internet Explorer is pre-installed in Windows Server, so it will come handy without installing additional software.