Internal roo CA and CRL

New Contributor

I am trying to determine what would happen if the internal root CA power down for a day or unavailable for a few days. We have a root CA with no subordinate. I thought PCs and Servers would check the local cache file and determine whether a certificate was revoked or not. I came across a few articles that say to set the revocation list longer to avoid the CRL server offline issue; this way, you do not have to worry about the CRL.

I checked my PC's cache file with certutil -urlcache and noticed the Last sync time:1/28/2022. so a PC or server is synching the revocation list from time to time to ensure it has an up-to-date cache file whether we set a more extended period for revocation list or not.

 

CRL Distribution Point (CDP) as listed below.

C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=My-Server,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>


What would happen if the CRL/CA server is not available with default installation above, that is, CRL is not in available central server? 

 

 

0 Replies