Hi, I am planning a two tier PKI with Windows 2008 R2. The root CA (RootCA1) will be offline and standalone. Two subordinate issuing CAs (SubCA1 and SubCA2) will be enterprise and online. Everything seems working fine in a test environment. My questions are: 1. I like not to publish the CDP URL from the root CA, so the issuing CAs' certificates will not have the published CDP extension (I will configure the AIA url). That way I don't have to copy CRLs regularly from the offline root CA to the CDP. The root CA likely will only issue two certificates to the sub CAs. If for whatever reasons, the sub CA's certificate need to be revoked, I can add CDP URL to the root CA later, and renew/reissue the certificates for the sub CAs. Is this a bad idea? 2. For the online issuing sub CAs, do I have to manually publish CRLs, or the CA will automatically publish the CRLs before the expiring date? Thank you. Frank Z

> Is this a bad idea? definitely. You MUST configure both, CDP and AIA extensions on root CA. Otherwise, many applications will fail, because they will be unable to determine issuing CA revocation status. > For the online issuing sub CAs, do I have to manually publish CRLs, or the CA will automatically publish the CRLs before the expiring date? if you configure UNC or LDAP paths to publish CRLs, CAs will automatically update CRL files in these locations. Note that UNC paths are allowed only for file publication. For CRT/CRL file retrieval only HTTP and LDAP protocols are supported. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Thanks for the quick answers, Vadim. For the first question, just to clarify, my issuing CAs will have CDP configured, just the root CA will not. Does that make any difference? I guess I am not understanding the CRL checking process. Thanks again. Frank Z.

Frank, Your language is not clear <G>. The root CA certificate will not have a CDP/AIA per best practices The certificates issued by the root CA (including the issuing CA) must have an AIA and CDP extension. The certificates issued by the issuing CA must have an AIA and CDP extension Brian

Thanks for the quick answers, Vadim. For the first question, just to clarify, my issuing CAs will have CDP configured, just the root CA will not. Does that make any difference? I guess I am not understanding the CRL checking process. Thanks again. Frank Z. I think, this article will explain something: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=36My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Vadims, Thanks for pointing me the great article. I understood it now.

Thanks, Brian. I got it now. Frank Z.