Friday, April 1, 2016

When does a Windows CA refreshes the CRL?

Hi, since I am working with Windows PKI (10+ years) I noticed that a Windows CA is running into a situation where the CRL has expired and the CA service will never renew it until you force it to do.
That happens if the CA is down for maintenance or restore right at the time the renew of the CRL would be triggered. So that is bad but only things we cannot change keep us awake at night and so here is the solution for that problem.
I recommend to issue the CRL e.g. for issuing CAs with a validity between 10 and 14 days, no longer and definitely not much shorter until you are 110 percent sure about you recovery process and you have tested it in real before. I had once a client they promised to have any machine recovered within 4 hours. We had a bad hard drive or controller and one came to the other. We asked for a recovery what happened 4 days later. Okay so if your CRL is to short you get a lot of pressure at this point.

As in any good PKI project you can ask certutil.exe for help.

A certutil.exe -CRL command triggers the CA to issue a new CRL. Depending on your configuration that file goes into LDAP and/or on the file system. With certutil.exe -getcrl myCAcrlfile.crl you get it from the CA as well e.g. in case you want copy it to multiple web servers.
That can do a scheduled tasks e.g. executed once a day or night

So that gives us some advantages:
1) we see every day a new CRL (like a heartbeat ;-))
2) the new CRL has always the max validity period
3) is contains the latest revoked certificates, if any
4) even the CA was down for maintenance at the point of CRL renewal,   the schedule task will take care of the CRL renewal

If you make use of certificate revocation a lot that is also the way to trigger the CA to issue new CRLs more often. Just run it more often.

Until next time,
Lutz





No comments: