CDP and AIA extensions in a standalone CA cert
Hello,
Consider a two tier PKI consisting of a standalone offline root CA and an enterprise policy/issuing subordinate CA.
Everything I read says *not* to include any CDP or AIA extensions when generating the initial standalone root CA cert in order to prevent revocation loops. Well, how would you ever know if a subordinate CA cert of the standalone root
CA got compromised? Or is this just a caculated risk to avoid the other potential issues? Or, am I missing something else altogether?
Also, am I correct in believing that the CDP or AIA extensions cannot be updated on a root or subordinate cert *after* it's been generated?
Any insight appreciated...
March 1st, 2011 6:53pm
you have misunderstood this requirement. You need to remove CDP/AIA extensions from
*Root CA certificate* itself. However you still need to maintain CDP/AIA extensions on CA server.http://en-us.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
March 2nd, 2011 1:56am
Hello,
Thank you for your response.
I assume you mean that I still need to maintain CDP/AIA extensions on the *enterprise issuing subordinate CA*, and yes I understand that. So it's possible for the enterprise subCA to revoke certs, and clients would pickup on the revocation thru
the CDP/AIA extensions of the subCA. But if the subCA cert itself is compromised, you could revoke it at the standalone root, and even generate a crl file. But there doesn't seem to be a mechanism for client machines/users to ever find that
out. Is this really the case? Am I understanding this correctly?
March 2nd, 2011 10:57am
I just wrote a blog post for this common question:
http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=36http://en-us.sysadmins.lv
Free Windows Admin Tool Kit Click here and download it now
March 2nd, 2011 1:51pm