During Post Installation configuration of a stand-alone root ca, when specifying the URLs, can this webserver be any webserver? For example, can it be the Issuing CA itself or does it need to be a separate webserver on the network?

It can be any server that is accessible at all times using HTTP. In fact, the Web server can be an Apache Web server if you so desire. As long as the URL that you type (say http://pki.example.com/certdata) is available. If you are using VPN or other technologies that will validate certificate both inside and outside of the network, then the Web server must be both internally and externally accessible using the same URL. Now, you just have to decide how to get the Root CA's certificate and CRL to the Web server. <G> Brian

Thank you sir. I have your book and I am reading it....tough subject though. Basically I am trying to implement a Two-Tier CA for a client that wants to primarily issue User certs for use with RSA IDs. If you don't mind, I would like to bounce a few questions off you. 1. They have an existing 2008 CA installed as an Enterprise online CA. Only used for computer certs and some internal websites. Can I setup an Offline cert and a Subordinate (policy and issuing) on top of that existing one? They would prefer an Offline model. 2. For the CRLs, should I use CDP, AIA, or the new Online Provider? Can I just focus it to one of those instead of all? I would rather not have to worry about too many methods for certificate revocation.

1. Since you have a root, you cannot convert the previous root to a subordinate, so you would be standing up a new PKI to replace the old using the more traditional offline root CA model. 2. OCSP requires that the Online Responder can read the CRLs from the CDP distribution points, so you cannot eliminate the CDP extension. What you are doing is providing failover for WIndows Vista+ clients. They will first attempt to validate a certificate using OCSP. If that fails, it falls back to using CDP. OCSP improves network performance for revocation checking (especially with large CRLs, because the client sends a simple request response based on the validating serial number. SO, to summary, you need all three: 1) CRLs will be published in the CDP extension of an issued certificate, while delta CRLs are published in the Freshest CRL extension of the CRL object. 2) CA certificates are still required and are pubished in the AIA extension of an issued certificate. 3) OCSP responders are optional, but highly recommended. The reference to the OCSP responder is also included in the AIA extension HTH Brian

massively helpful. Thanks. One last question for now, what would you recommend for CRLPeriods, CRLOverlap, and CRLDelta?

Is this good enough for the combined Policy and Issuing CA? [Version] Signature="Windows NT$" [Certsrv_Server] renewalkeylength=2048 RenewalValidityPeriodUnits=5 RenewalValidityPeriod=Years CRLPeriod=1 CRLPeriodUnits=Weeks CRLOverlapPeriod=4 CRLOverlapUnits=Hours CRLDeltaPeriod=1 CRLDeltaPeriodUnits=Days DiscreteSignatureAlgorithm=1 LoadDefaultTemplates=0

So I went through all the steps and found that there are errors in the CA MMC. Unable to Download from the http: locations. I did something wrong with the website. How do you copy the files into the CertData website? I'm using IIS 7.5.