09 November 2011

Update PKI with new offline root CA CRL - step by step guide

As part of your PKI maintenance you will periodically need to update the CRL from the offline Root CA.  If you have inherited the PKI infrastructure you might now have all the required information handy.  The guide will hopefully take you through what you need to get your PKI status back to normal.


CA - Certification Authority
PKI - Public Key Infrastructure
CRL - Certificate Revocation List
CDP - CRL Distribution Point
AIA - Authority Information Access

Process overview
  • Bring Root CA online
  • Create a new CRL
  • Copy the CRL to the network
  • Distribute to CDP and AIA
  • Verify the update is sucessfully installed
  • Diary entry for the next update date

Bring the root CA online
Best practise for a root CA is to have it totally offline.  It is also best practice to have the root CA as a virtual machine that an easily be backed up and restored should an issue occur.  Generally the process involves starting up the virtual machine and connecting via the VM console.  My personal suggestion here is also to make a snapshot before you start.

Check the current CRL

  • Browse to C:\Windows\system32\certsrv\certenroll
  • Open the .crl file
  • Check the Next update field - This is the expiry date
  • Make a note of the CRL Number for the verification step later

Create the new CRL

  • Open the MMC
  • Add the Certificate Authority Snap in select local computer
  • Expand the tree till you get to the Revoked Certificates node
  • Right click and select  - All tasks - Publish
  • Choose New CRL
  • Alternatively you can run  certutil -crl  to do the same thing 

You will also have to make a note of where the CDP and AIA locations are.  The updated CRL file needs to be copied to all these locations.

From the Certificate Authority snap in

  • Select the Root CA - Right Click -Properties
  • Select the Extensions tab
  • From here there is a drop box where you can select either the CDP or the AIA.

The box below will show where the locations are that you need to update.

This process should now have generated and saved the updated CRL to the C:\Windows\system32\certsrv\certenroll folder.

  • Check the updated CRL file as you did above.  This time the CRL number should have increased by 1 and the dates should be different.

Getting the CRL file on to the network

  • Create a virtual floppy
  • Attach it to your Root CA
  • Copy the CRL file onto the floppy
  • Detach the drive and connected it to a networked VM

(Alternatively - connect the VM to the network and copy the file across before disconnecting the VM again)

Distribute to CDP and AIA locations
The .crl file now needs to be copied to all the network CDP and AIA locations.  This is genereally a IIS server on the network.  The information gather above should help you track down the server.

Publish CRL to AD and the Issuing CA local root trust

  • Log onto the Issuing CA and open a command prompt as administrator
  • Browse to a directory that contains the new crl files
  • To publish to the Issuing CA certutil -f -addstore infile "FileName.crl"
  • To Publish to Active Directory  certutil -v -f -dsPublish “FileName.crl” RootCA 

Verify the update is sucessfully installed
Once the files have been copiesd to all the required location you can check the health of your PKI environement again.
  • Open the MMC console
  • Add the Enterprise PKI snap in
  • Expand to the Root CA
  • In the details pane you should now see that there are no warning or errors
  • The CDP location should also reflect the new dates

Double Clicking on the CDP field should open the new CRL file where you can again verify it is 100% correct.

Diary entry for the next update date
You will have to do this again in the future and since the interval is normally 6 months or more it is easy to forget.  Set up a meeting request where you and or another PKI admin nneds to perform these steps.  It is recommended that this be performed a few days prior to the actual expiry date to ensure proper propegation etc in larger environments.  Also copy in the link to this article...

1 comment:

Anonymous said...

Good article, simple guide for a PKI admin

Post a Comment