Hi! I've set up a pki with 2 tier on windows server 2003.The root is an offline standalone CA and the other one is a subordinateenterprise CA.The problem is that some days after i copied the root CA CRL and CRT files to the suborninate CA can't start because can't find the revocation server. I think it's because the CRL from the root have expired.As the root is an offline and powered off machine... how can I get my CRL updated?? Or can I disable it?? I mean is it necessary to have the CRL updated from the root?? I only wanna use the subordinate CA.Maybe the problem is that I implemented it incorrectly, i don't know.Thanx

Hello Alex-SH,Ahh the CRL, the Achilles' heel of PKI :). To publish a new CRL simply open up the Certificate Authority snap-in for MMC and point it at your parent CA (in a 2-tier it would be the root CA). Expand it out and right click on the revoked certificates folder,hilight all tasks, and click publish. This will publish a new CRL to all of the CRL Distribution Points (CDPs)for the server.Now, this should happen automatically based on the configurations of the CA; it is more likely that the CDPs aren't available to the server. You can find the CDPs in two places: on thex.509 certificate issued to the CA (this is where the subordinate CA will look) and in the CDP configurationfor the parent CA (only valid for new certificates). Make sure at least one (ideally all published) of these locations are available to the subordinate CA.Hope this helps!- MichaelA+, Network+, MCSE (2000 \ 2003), MCTS, CISSP LinkedIn

Yes, I know how to publish the CRL, the matter is that my root CA is powered off. I read in a tutorial that is safer to make it as a virtual machine and once it is configured switch it off and burn it to a DVD. And now I find this problem with the CRL, how can I make it work if the root ca will be permanently offline?Thanx

Hi Alex,it seems that your are using the standard CDP URLs, correct? Thus the Issuing CA cert.would containan URL pointing to theRoot CA machine.Unless the Root CA is online, you need to change that URLs in the configuration of the Root CA before the Issuing CA is being set-up (or renewed). You should use a URL that points to a highly available server, typically HTTP or LDAP and choose a rather long CRL validity period, such as several months. Then you would have to power on the Root CA every several months, publish a CRL and transfer is manually to that CDP server.So if you see an URL in the CDP extension of the Issuing CA cert. now, you have to change it to an available CDP server by renewing the Issuing CA cert.Theoretically you can "deactivate" Root CA CRLs by deleting all URLs (that are configured for inclusion in certificates) from the Root CA CDP configuration. But also in this case you have to renew the Issuing CA to reflect the change in your certificate chain. Above all, I would not recommend doing this - it is uncommon that there is no CDP URL at all in an Issuing CA certificate and youcannot predict with 100% certainty / you would have to confirm in testshow allyour PKI clients would copewith that.Best regards,Elke

Ok I see, I already set a valid CDP URL, the url server is the same as the issuing CA, and if the CRLs haven't expired it works great.So... 1- How can I check the actual CRL validity period?2- How can I change the CRL validity period?3- Can I change it without having to renew the issuing CA cert?Thank youuu!

Hi Alex,1) Checking vand 2) changing validity period:The CRL validity period is configured at the CA that issues the CRL (in your case the Root CA):Properties of'Revoked' in theCA MMC. Check also the effective life times of CRLs that have been issued (especially in case of problems)- in the database: Properties of Revoked, View CRLs, double-click the file and check the end date- in the file system %windir%\system32\certsrv\CertEnrollYou change the CRL validity period in the CA MMC (Properties, Revoked) or by changing the corresponding reg key (HKLM/SYSTEM/CurrentControlSet/Services/CertSvc/<NameOfYourCA>/Configuration: CRLPeriod, CRLPeriodUnits).Note that you can configure an overlap period (only in the registry), which causes a CRL to be published locally earlier (by default this is set hard-coded to 3 hours). The effective validity period is equal to the configured validity period plus the configured overlap period. The CRL is re-published locally at a timewhich is equivalent to theend date minus the overlap period. Due to the overlap period the effective times seem to be different from the configured validity period.So by default the effective lifetime of CRLs seem to be 3 hours greater than the configured validity periods.If you want to automate checking fpr CRL expiry I would check the CRL that has been published to the CDP server periodically - I would recommend this script which can also detect other problems:http://www.microsoft.com/technet/scriptcenter/solutions/camon.mspx3) The validity period settings (for the Root CA, but also fo the Issuing CA) can be changed without renewing the Issuing CA cert. You only have to renew the Issuing CA if you want to make changes to the URLs embedded in the Issuing CA cert (whichare equivalent to the URL that has been configured before at the Root CAGood luck,Elke

It Works!!Thank you so much!