Two Tier PKI Hierarchy - ADCS

New Contributor

Hello Friends.

In a test lab, I have implemented smart card login to computers (Windows 10). The service was based on a two-layer PKI environment (Offline Standalone RootCA i Enterpise Subordinate RootCA).

On the "Offline Standalone RootCA" server in the CRL and AIA lists I only have the lead for the http server. On the other hand, on the Enterpise Subordinate RootCA server, in the CRL and AIA lists, I only have leads for the http and ocsp server.

The problem is revoking certificates.

With OCSP, revoking certificates issued from a Subordinate server works fine.
As you know, in Two Tier, the point is that you can revoke the certificate for the subordinate server if it was broken.
So I revoke the certificate for sub and copy the new list to the web server.
I wait two three days and check the sub certificate on the client with certutil.
The certificate status is "Verified", and the client can login to the computer using the certificate issued by the sub server.
I tried "certutil -urlcache * delete" on the client, but it didn't help.
Is it possible to somehow make Windows check the status of the certificate issued by the "Offline Standalone RootCA" server when logging in?
Because now this implementation of PKI using Two-Tier for smart cards misses the point. Because even if this sub certificate is broken, revoking it will not give me anything.

Thank you in advance for your help and best regards.

0 Replies