Archived from groups: microsoft.public.win2000.security (
More info?)
As far as I know you will need to reissue those certificates that are used
by applications that need to find the CRL for the CA [apparently not all of
yours do]. The CRL/AIA is included on each issued certificate and is where
the application will look for the CRL or CA certificate if it needs it.
After you change it, newly issued certificates will contain the new info. As
far as the empty CDP/AIA, that depends on your particular needs for security
and performance. I have also read where it is recommended in many situations
to increase the length of CRL life to six months for the offline CA based on
the assumption that it is secured and the likelyhood that it would ever have
it's certificate revoked is extremely unlikely. --- Steve
"TKLOSE" <TKLOSE@discussions.microsoft.com> wrote in message
news:C9B9BCAA-B740-4AD0-A5E7-36A8856EDD3C@microsoft.com...
> Hi Steve,
> It appears that I did not correctly set up my CRL and AIA publication
> settings from the get go.
> I deployed my enterprise offline root and subordinate CA with these
> defaults.
> I am using AD and GP with autoenrollment for deploying ONLY the
> certificate
> chain to the client computers .
> I currently have a limited internal cert deployment, only for PEAP for
> wireless.
>
> I hope there is an easy fix...
> I see where to change the CRL, AIA settings .....After I update them
> Do I have to re-issue all the published certificates? And/or will the
> changes (if allowed) propagate down the chain?
>
> I also read, that it is recommended to configure empty CDP and AIA ext to
> ensure that the certificate chaning engine does not perform revo checking
> on
> the rootCA. Do you agree?
>
> Before I set my CRL and AIA.....
> I need to plan ahead for the day my subordinate server is replaced with
> another, and want to have a consistent dns cname for the CRL and AIA files
> (
> I don't want to use a server name) . I prefer to use the LDAP or a DNS
> pointer to the current subordinate CA http.
>
>
>
>
> "Steven L Umbach" wrote:
>
>> Possibly the links below will help. When you install a offline CA you
>> need
>> to make sure that you change the location for the CRL/AIA so that it is
>> available and you also need to update the crl for the offline CA to keep
>> it
>> current. Look in the Event Viewer of the subordinate CA for any pertinent
>> events that may be helpful.--- Steve
>>
>>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
>>
>>
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_CS_Checklist_offline.asp
>> -- installing an offline CA.
>>
>> "TKLOSE" <TKLOSE@discussions.microsoft.com> wrote in message
>> news:49D8B6C8-1976-48B6-B00C-F2DB5EF962E0@microsoft.com...
>> > As recomended, I keep my domains root CA offline.
>> > My suborinate CA, works good in delivering the certs to the domain
>> > clients.
>> >
>> > However, when ever I need to request a certificate to a web server or
>> > other,
>> > the subordiante hangs and throughs an error on the certsrv web page.
>> >
>> > If I put the root server back online, this does not occur.
>> >
>> >
>> > What does the suborniate need, to be independant of the root server to
>> > allow
>> > certificates to be requested? What is is looking for from the root
>> > server?
>> >
>> >
>> >
>>
>>
>>