Windows Server 2003: Taking Root and Intermediate CA's offline causers faiure in Enterprise CA

Question

I installed 3 CA's in lab environment:

SA Root CA
SA Intermediate CA
Enterprise CA (also DC)

The instructor recommends taking Root and Intermediate CA's offline once the Enterprise CA has been issued it's certificate. I took Root and Intermediate CA's offline and now the Enterprise CA's certificate cannot be verified because both Root and Intermediate CA's are in the chain of trust and are unavailible.

To overcome that I thought to publish the CRL's to a shared folder on a server that is always availible, but CRL's are valid only for a week. That means I have to bring both Root and Intermediate CA's up every week to publish CRL's?

What is the commonly proposed solution to such scenario?

score 2 · Accepted Answer · answered Apr 21 '12 at 14:38

2

You are aware you can publish the CRL to Active DIrectory and then with a longer duration?

http://networkerslog.blogspot.com/2010/12/publish-offline-certificates-and-crls.html

And then I would put the validity higher - obviously. Otherwise it is too much work to republish the CRL's.

answered Apr 21 '12 at 14:38

TomTom

51,649
7
54
136

But theoreticaly, is it possible to publish to share on another server? – Dean Apr 29 '12 at 12:00
1

Sure. THis is fully documented - in the documentation. THat even makes often sense, for example when your inner CA is not public but you want the revocation list on the internet. – TomTom Apr 29 '12 at 14:14

Windows Server 2003: Taking Root and Intermediate CA's offline causers faiure in Enterprise CA

1 Answers1