CRL questions and design decision
Hi all, I am hoping somebody can help me wrap my head around a few PKI questions.Some background:1. We are implementing a PKI infrastructure to support SCCM, intranet SSL and server to server IPSec. 2. We have an office network and a (few) production networks that are completely segregated. (different location/network/domain). we can think of them as 2 discrete networks for my purposes here, office and prod.3. I am planning to create a root stand alone server that will generally be off. I will create a subordinate enterprise issuing server in my office network.I started worrying about the possibility of my CRL being unavailable for some reason when it was checked. The brought up a whole host of questions:1. If i have a validity period of, say, 1 week, what happens as we approach the end of the time? it the crl checked once at 1 week? In that case, a momentary failure would seem to be able to bring down the infrastructure. Are there several checks as it gets towards expiration? I was unable to find definition on this, links would be appreciated. We are encrypting traffic between some of our critical servers and want to make sure we have some leeway here.2. Does anybody know if SCCM clients and IPSec checks CRLs by default? I know IIS does. 3. Do I need to worry about CRL? Given that these are all internal hosts, if I were to have a compromise of my issuing server, I would have to create a new issuing server in the domain. would I be able to revoke the old CA through the domain as well or is CRL my only tool for this?As far as design decisions, i started wondering if I should build several issuing servers from teh same root, one in each network. This would allow me not to depend on any other network being up. For my purposes this seems, prima facia, to be a good idea. I do get a bit murky in my understanding here though, since they would all come from the base root server, would certs issued by, say, PRDISSUER1 be valid on my office machines? Or, asking another way, assuming I am using an enterprise issuing CA in office that would be trusted on my office domain machines. if both the office and the prod issuers are subordinate to the same root, would the clients in one domain trust cerst issued by the other?Thanks in advance for any insights you may have,ej
March 9th, 2009 2:41pm

Hi.I'll give you some answer to your questions.1:The Sub-ca automatically publish new crl's long before the time ends. But let's assume the CA is down, everything that are depending on crl check will fail after the time stamp on the crl exceeds.2: SCCM use SSL. SSL checks crl by default. So does IPsec if the system are XP, vista, 2003 or 2008.You can turn of the crl check for ipsec by using the command. netsh ipsec dynamic set config property=strongcrlcheck value=03: Well thats a good question,I would use the crl check.If you start to enroll a lot of certificate youwant to havethe options to revoke a certificate. But that's something only you can diced.4: If you are using crl-checks this won't be a problem, as long as you don't publish the crl-list from the office ca in the prod or the other way around./Johan
Free Windows Admin Tool Kit Click here and download it now
March 11th, 2009 5:26pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics