Offline Root CA CRL CDP

Dane Briggs 231 Reputation points
2023-04-19T15:55:31.8533333+00:00

I inherited a CA environment. While reverse engineering I noticed some configurations in Offline Root CA CRL and AIA extensions that I have questions about.
We have 5 different Forests/Domains Each has its own Intermediate CA and Online Responder. Each Intermediate CA gets its SubCA cert from the Root CA. The CRL CDP was set as follows.

  • C:\Windows\system32\certsrv\certenroll<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
  • ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
  • http:// pki.DomainC.com/CertEnroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl

And the AIA was set as follows.

  • C:\Windows\system32\CertSrv\CertEnroll<ServerDNSName><CAName><CertificateName>.crt
  • ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>
  • http:// pki.DomainC,com/CertEnroll/<ServerDNSName><CAName><CertificateName>.crt

DomainC is going to be retired soon and pki.DomainC.com is not accessible to all 5 domains. So, I need to update the CRL CDP and the AIA. My plan was to configure the Root CA Extensions as follows. CRL CDP

  • C:\Windows\system32\certsrv\certenroll<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
  • ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
  • http:// pki.DomainA.com/CertEnroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
  • http:// pki.DomainB.com/CertEnroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
  • http:// pki.DomainC.com/CertEnroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
  • http:// pki.DomainD.com/CertEnroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl
  • http:// pki.DomainE.com/CertEnroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl

AIA

  • C:\Windows\system32\CertSrv\CertEnroll<ServerDNSName><CAName><CertificateName>.crt
  • ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>
  • http:// pki.DomainA.com/CertEnroll/<ServerDNSName><CAName><CertificateName>.crt
  • http:// pki.DomainB.com /CertEnroll/<ServerDNSName><CAName><CertificateName>.crt
  • http:// pki.DomainC.com /CertEnroll/<ServerDNSName><CAName><CertificateName>.crt
  • http:// pki.DomainD.com /CertEnroll/<ServerDNSName><CAName><CertificateName>.crt
  • http:// pki.DomainE.com /CertEnroll/<ServerDNSName><CAName><CertificateName>.crt

I also noticed that the CRL for every SubCA cert is pointing to only DomainC I expected that with the HTTP but not LDAP. My first assumption since the SubCA certs are a few years old is that someone changed the CRL CDP and AIA after those certs where issued. However, DomainE is a new domain with a new Intermediate CA server. The CRL CDP and AIA for the new SubCA cert is still using DomainC for its CRL CDP.

[1]CRL Distribution Point

Distribution Point Name:

Full Name:

URL=ldap:///CN=RootCA,CN=SA-CA,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=DomainC,DC=COM?certificateRevocationList?base?objectClass=cRLDistributionPoint (ldap:///CN=RootCA,CN=SA-CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DomainC,DC=COM?certificateRevocationList?base?objectClass=cRLDistributionPoint)

URL=http:// pki.DomainC.com/CertEnroll/ RootCA.crl (http:// pki.DomainC/CertEnroll/RootCA.crl)

  • Why is it that each SubCA’s cert CRL is pointing the ldap CRL to DomainC when the Root CA Extension CRL CDP is set generic (ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services,CN=Services,<ConfigurationContainer><CAObjectClass>)?
  • How do I configure the Root CA CRL CDP so that each domain can publish the CRL in AD?
  • Should I even have an LDAP CRL CDP configured in the Offline Root CA’s Extensions? (I personally like to have at least 2 locations to publish the CRL)
  • If I add CRL CDP and AIA to the Root CA extensions, will it be added to the cert if I renew the SubCA cert?
  • I’m pretty sure I know the answer to this but…. If I renew the cert and DO NOT generate a new Public/Private pair the certificate chain stays intact, and I don’t need to reissue all certs issued by the Intermediate CAs?
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,054 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
544 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,321 Reputation points
    2023-04-20T14:38:45.7766667+00:00

    Hello there, If you have configured both, LDAP and HTTP, then you clear checkboxes from LDAP URL which instruct CA to include the URL in certificates and CRLs. This way CA will continue to publish CRLs there so existing certificates (that include LDAP URL) can download CRL from LDAP until they get replaced. No new certificate will contain LDAP, they will contain only HTTP. Use the following certutil.exe command line to publish a CA's CRL into Active Directory: certutil -dspublish -f CAName. crl, where CAName is the logical name of the root CA. Hope this resolves your Query !! --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.