Internal roo CA and CRL

%3CLINGO-SUB%20id%3D%22lingo-sub-3126184%22%20slang%3D%22en-US%22%3EInternal%20roo%20CA%20and%20CRL%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3126184%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EI%20am%20trying%20to%20determine%20what%20would%20happen%20if%20the%20internal%20root%20CA%20power%20down%20for%20a%20day%20or%20unavailable%20for%20a%20few%20days.%20We%20have%20a%20root%20CA%20with%20no%20subordinate.%20I%20thought%20PCs%20and%20Servers%20would%20check%20the%20local%20cache%20file%20and%20determine%20whether%20a%20certificate%20was%20revoked%20or%20not.%20I%20came%20across%20a%20few%20articles%20that%20say%20to%20set%20the%20revocation%20list%20longer%20to%20avoid%20the%20CRL%20server%20offline%20issue%3B%20this%20way%2C%20you%20do%20not%20have%20to%20worry%20about%20the%20CRL.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EI%20checked%20my%20PC's%20cache%20file%20with%20certutil%20-urlcache%20and%20noticed%20the%20Last%20sync%20time%3A1%2F28%2F2022.%20so%20a%20PC%20or%20server%20is%20synching%20the%20revocation%20list%20from%20time%20to%20time%20to%20ensure%20it%20has%20an%20up-to-date%20cache%20file%20whether%20we%20set%20a%20more%20extended%20period%20for%20revocation%20list%20or%20not.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ECRL%20Distribution%20Point%20(CDP)%20as%20listed%20below.%3CBR%20%2F%3E%3CBR%20%2F%3EC%3A%5CWindows%5Csystem32%5CCertSrv%5CCertEnroll%5C%3CCANAME%3E%3CCRLNAMESUFFIX%3E%3CDELTACRLALLOWED%3E.crl%3CBR%20%2F%3E%3CSTRONG%3Eldap%3A%2F%2F%2FCN%3D%3CCATRUNCATEDNAME%3E%3CCRLNAMESUFFIX%3E%2CCN%3DMy-Server%2CCN%3DCDP%2CCN%3DPublic%20Key%20Services%2CCN%3DServices%2C%3CCONFIGURATIONCONTAINER%3E%3CCDPOBJECTCLASS%3E%3C%2FCDPOBJECTCLASS%3E%3C%2FCONFIGURATIONCONTAINER%3E%3C%2FCRLNAMESUFFIX%3E%3C%2FCATRUNCATEDNAME%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%3C%2FDELTACRLALLOWED%3E%3C%2FCRLNAMESUFFIX%3E%3C%2FCANAME%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EWhat%20would%20happen%20if%20the%20CRL%2FCA%20server%20is%20not%20available%20with%20default%20installation%20above%2C%20that%20is%2C%20CRL%20is%20not%20in%20available%26nbsp%3Bcentral%20server%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3126184%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

I am trying to determine what would happen if the internal root CA power down for a day or unavailable for a few days. We have a root CA with no subordinate. I thought PCs and Servers would check the local cache file and determine whether a certificate was revoked or not. I came across a few articles that say to set the revocation list longer to avoid the CRL server offline issue; this way, you do not have to worry about the CRL.

I checked my PC's cache file with certutil -urlcache and noticed the Last sync time:1/28/2022. so a PC or server is synching the revocation list from time to time to ensure it has an up-to-date cache file whether we set a more extended period for revocation list or not.

 

CRL Distribution Point (CDP) as listed below.

C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=My-Server,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>


What would happen if the CRL/CA server is not available with default installation above, that is, CRL is not in available central server? 

 

 

0 Replies