PKI Design - ocsp vs delta CRLs, separating CRL hosting from issuing CAs

Hi,
I'm giving my PKI environment bit of an overhaul. I have a 2 tier PKI with an offline root CA which serves around 2000 clients - a lot of mobile device certificates are used. I'm not using delta CRLs and currently my issuing CA is also the publishing
point for AIA and CDP information. I'm thinking of making the following changes:
1. Use separate web servers to host the CRL and AIA files rather than placing them directly on the issuing CA, I'm then thinking of disabling IIS on the issuing CA for security reasons. The only downside to this I can see is that I'll lose web enrollment
functionality - is there a way around this?
2. I currently don't use delta CRLs (AIA and CRL files are around 9.5 KB), I'm wondering whether it'd be worthwhile to use them or go a step further with OCSP? Although I am keen to not over engineer the solution.
3. If I add another issuing CA, presumably there's no way they can share the same DB?
Cheers

> The only downside to this I can see is that I'll lose web enrollment functionality - is there a way around this?
starting with Windows Server 2008 you can install web enrollment on a separate computer. During service install you will be prompted to specify CA server to associate. Also, web enrollment is outdated and very limited. Try to avoid it if possible.
> I currently don't use delta CRLs (AIA and CRL files are around 9.5 KB), I'm wondering whether it'd be worthwhile to use them or go a step further with OCSP?
Based on your current CRL size, you will not get any benefits from OCSP, so you can postpone its deployment until it is necessary (when your CRL becomes much larger). Keep things simple.
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell File Checksum Integrity Verifier tool.

Similar Messages

CRL and delta CRL generation schedule not fixed (CS 2008 R2 and CS 2003 R2)

CRL and delta CRL is generated daily at the same time in test environment (sometimes offset may be about 1 minute).
Delta CRL generation statistics (effective date) in production environment :
2014.07.12 23:01
2014.07.14 00:00
2014.07.15 00:43
2014.07.16 01:22
2014.07.17 01:59
2014.07.18 03:10
2014.07.19 03:48
One can see that delta CRL generation time is constantly shifting and it's not the same as time period when delta CRL is being generated. Delta CRL validyti is 1 day, so it should be generated each day at the same time. CRL size is about 10MB, delta CRL
size is about 0,5 MB. Delta CRL generation time is about 1,5 H.
Question: is it possible to fix CRL and delta CRL generation time (make it constant), using standard ADCS tools/settings? Role separation is used in solution, therefore it's not safe to run daily task (with CA administrator's permissions)
to force publishing time in CA registry (if it's possible at all?), or similar "workoround.

Hi, Vivian! Sorry for delay - I was dealing with another urgent issue, but now it's time to return to this issue.
Vadims, thank you for information. I saw this article
http://blogs.technet.com/b/pki/archive/2008/06/05/how-effectivedate-thisupdate-nextupdate-and-nextcrlpublish-are-calculated.aspx, but it not answers all the questions.
Following links in article referred in your post, I found latest version of article moved to TechNet:
http://social.technet.microsoft.com/wiki/contents/articles/20652.how-thisupdate-nextupdate-and-nextcrlpublish-are-calculated.aspx
That article provides more detailed explanation, but there are still some questions. Below is schedule of delta CRL publishing on production and test servers which are using absolutely identical CA settings, including but not limited to CRLPeriod, CRLOverlapPeriod,
CRLDeltaPeriod, CRLDeltaOverlapPeriod, ClockSkewMinutes.
But production server has more certificates and publishing of delta CRL requires more time (about 1,5-2h). As result, CRL and delta CRL publishing time constantly shifting approx. by 1h (this timeframe is not equal to delta CRL generation time), but CRL
and delta CRL on test server are generated almost at the same time (see more info below).
Therefore, one can assume that something is missing in publishing time calculation formulas, provided in the articles mentioned above.
PROD SERVER:
CRL This Update:
2014.07.09 00:42
2014.07.10 01:20
2014.07.11 01:57
2014.07.12 03:07
2014.07.12 23:01
2014.07.14 00:00
2014.07.15 00:43
CRL Next Update:
2014.07.10 12:42
2014.07.11 13:20
2014.07.12 13:57
2014.07.13 15:07
2014.07.14 11:01
2014.07.15 12:00
2014.07.16 12:43
CRL This Publish:
2014.07.09 00:42
2014.07.10 01:20
2014.07.11 01:57
2014.07.12 03:07
2014.07.12 23:01
2014.07.14 00:00
2014.07.15 00:43
CRL Next Publish:
2014.07.10 00:42
2014.07.11 01:20
2014.07.12 01:57
2014.07.13 03:07
2014.07.13 23:01
2014.07.15 00:00
2014.07.16 00:43
TEST SERVER
CRL This Update:
2014.07.09 15:08
2014.07.10 15:13
2014.07.11 15:13
2014.07.12 15:13
2014.07.13 15:13
2014.07.14 15:13
2014.07.15 15:13
CRL Next Update:
2014.07.11 3:08
2014.07.12 3:13
2014.07.13 3:13
2014.07.14 3:13
2014.07.15 3:13
2014.07.16 3:13
2014.07.17 3:13
CRL This Publish:
2014.07.09 15:08
2014.07.10 15:13
2014.07.11 15:13
2014.07.12 15:13
2014.07.13 15:13
2014.07.14 15:13
2014.07.15 15:13
CRL Next Publish:
2014.07.10 15:08
2014.07.11 15:13
2014.07.12 15:13
2014.07.13 15:13
2014.07.14 15:13
2014.07.15 15:13
2014.07.16 15:13

Base + Delta CRL concatination issue

Hi Everybody !
I am configuring two factor Authentication on Oracle I&AM Platform. Facing issues with CRL's (Certificate revocation list).
Solution works fine using base CRL. But the issue is that base crl is generated on weekly basis.
Certifiates revoked during the week are updated in Delta CRL.
According to Oracle Note : ID 418613.1 , delta crl should be concatenated
with base CRL to work.
2- When Base and Delta CRL's are concatenated the results are below :
Results after Base+Delta CRL concatenation :
3- Suppose base CRL is named as Base.CRL and delta CRL is named as delta.crl and resultant concatenated file is named as ca.crl
4- In ca.crl if base.crl is top most and delta.crl is lower one , then HTTP server only reads Base CRL. Not the delta one. That
is the issue. Because certificate revoked during week published in Delta CRL , and HTTP server is not reading delta after concatination.
5- If suppose while concatination , we put delta.crl on top and base.crl on bottom then HTTP Server only reads delta.crl and ignores base.crl that is lower most at this time.
Note :
1- CRL,s are base 64 encoded.
2- CRL,s are up to date.
3- HTTP server is restarted after every change.
Question :
1- How to resolve the CRL issue after concatination (base+delta) ?
Thanks,
Regards,
/Hammad

Hi Everybody !
I am configuring two factor Authentication on Oracle I&AM Platform. Facing issues with CRL's (Certificate revocation list).
Solution works fine using base CRL. But the issue is that base crl is generated on weekly basis.
Certifiates revoked during the week are updated in Delta CRL.
According to Oracle Note : ID 418613.1 , delta crl should be concatenated
with base CRL to work.
2- When Base and Delta CRL's are concatenated the results are below :
Results after Base+Delta CRL concatenation :
3- Suppose base CRL is named as Base.CRL and delta CRL is named as delta.crl and resultant concatenated file is named as ca.crl
4- In ca.crl if base.crl is top most and delta.crl is lower one , then HTTP server only reads Base CRL. Not the delta one. That
is the issue. Because certificate revoked during week published in Delta CRL , and HTTP server is not reading delta after concatination.
5- If suppose while concatination , we put delta.crl on top and base.crl on bottom then HTTP Server only reads delta.crl and ignores base.crl that is lower most at this time.
Note :
1- CRL,s are base 64 encoded.
2- CRL,s are up to date.
3- HTTP server is restarted after every change.
Question :
1- How to resolve the CRL issue after concatination (base+delta) ?
Thanks,
Regards,
/Hammad

How to retrieve CRL information from a client computer

Is possible to retrieve CRL information from a client computer and how?
Thanks.

CRL's do not normally live on workstations... normally these are hosted on servers. If you want to see what server are in the local revocation list then look at the certificates mmc snap-in and look at the revoked certificate list. If you want to test
a CRL for a certificate then export the certificate and run "Certutil -url"
Alan Burchill (MVP)
http://www.grouppolicy.biz
@alanburchill

Separating application logic from GUI

I don't know if this is the right forum to ask this question. I know that It's a very bad practice to embed application logic in GUI code, they have to be separated and communicate in some way. I've read somewhere that they need a kind of an adapter class or a knowledge of design patterns, which I actually don't have.
Could someone direct me to a nice tutorial, which explains this issue? Thank you.

hey KidJava, here is something about separating application logic from GUI ...
http://www.springframework.org/docs/MVC-step-by-step/Spring-MVC-step-by-step.html

Separation of Moment from Workflow

Separation of Moment from Workflow
Recently, there have been cases where we've considered "fudging" workflow - we have a service, someone approves and it needs to go onto another group or person that works on the service more before it needs to go somewhere else for approval, etc. - there really isn't a way to capture the approvals after the approval moment unless you want to have someone click on a "done" button. While this is one instance - it would be cool to be able to define the workflow from start to end. Perhaps Auths can be included in the Plan section, but allow the service designer to choose the workflow type (and one of those types would be auths, another would be provisioning, etc,).

Hi Brandy, I'm sorry that there hasn't been a reply to your question. Do you still have this question open, or have you gotten an answer from somewhere else?

Delta records are not loading from DSO to info cube

My query is about delta loading from DSO to info cube. (Filter used in selection)
Delta records are not loading from DSO to Info cube. I have tried all options available in DTP but no luck.
Selected "Change log" and "Get one request only" and run the DTP, but 0 records got updated in info cube
Selected "Change log" and "Get all new data request by request", but again 0 records got updated
Selected "Change log" and "Only get the delta once", in that case all delta records loaded to info cube as it was in DSO and gave error message "Lock Table Overflow" .
When I run full load using same filter, data is loading from DSO to info cube.
Can anyone please help me on this to get delta records from DSO to info cube?
Thanks,
Shamma

Data is loading in case of full load with the same filter, so I don't think filter is an issue.
When I follow below sequence, I get lock table overflow error;
1. Full load with active table with or without archive
2. Then with the same setting if I run init, the final status remains yellow and when I change the status to green manually, it gives lock table overflow error.
When I chnage the settings of DTP to init run;
1. Select change log and get only one request, and run the init, It is successfully completed with green status
2. But when I run the same DTP for delta records, it does not load any data.
Please help me to resolve this issue.

I have bought and been using the 'Adobe Creative Suite 6 Design Standard'. How do i move this from one laptop, to another laptop?

I have bought and been using the 'Adobe Creative Suite 6 Design Standard'.
How do i move this from one laptop, to another laptop?
I require this for uni, and am struggling to move it across!
If you can help that would be great

Hi 7717arrow,
Please use the below link to download CS6 Design standard on the new machine.
http://helpx.adobe.com/x-productkb/policy-pricing/cs6-product-downloads.html
Use the same serial no. to activate the product.
Thanks

Middleware - Delta load is not working from CRM to R/3

Hi Experts,
Our client is using SAP-R/3 4.7 and CRM 5.0
Connectivity was established via Middleware and initial load of Customizing objects and Master data( Customer and Material) was finished successfully.
Now if i create any Customer or Product in R/3 they were replicating to CRM(Delta load), but this delta load is not working in CRM to R/3 direction.
In CRM Administration console( Transaction code - SMOEAC) R/3 site was maintained and subscribed for Publications - All Business Partners, All Business Transactions and All Business partner Relationships.
Can anybody help me out that why Delta load is not happening from CRM to R/3 Direction.
Thanks in advance
Nadh.

Hi Nadh,
for BPs check PIDE settings once agiain, i hope u ve already downloaded all mandatory obects for BP, because u already told that replication from r/3 to crm is ok, so check once again PIDE settings (CRM to R/3),
for Products u ve to manual upload only
for Products
This may be necessary because the data is required in the OLTP System for a number of logistical processes such as procurement, inventory management, billing, financial accounting, controlling.
cheers
Ranga

Custom sendemail in sharepoint 2013 designer workflow using dictionary object with email template from list

I am looking for custom sendemail in sharepoint 2013 designer workflow using dictionary object with email template from list
MCTS Sharepoint 2010, MCAD dotnet, MCPDEA, SharePoint Lead

Hi Greetings.
pls check if it helps you.
http://msdn.microsoft.com/en-us/library/office/jj554504(v=office.15).aspx
Please remember to click 'Mark as Answer' on the answer if it helps you

Why can not you thought of improving the design of power adapters for mac book pro from damage so easily?

why can not you thought of improving the design of power adapters for mac book pro from damage so easily?

I congratulate you. you are very lucky because I hurt my less than two years taking all possible care. and have found that this has happened to many people more

Separated EPS export from INDD

I need to get INDD to generate a set of separated EPS files (ie one eps per swatch color that has been used), rather than a composite eps. Its not a standard export option. Does anyone know how to use scripting to do this. Thank you.

<div class=Section1> 10.0pt;font-family:Arial;color:navy'>Ole<o:p></o:p> 10.0pt;font-family:Arial;color:navy'><o:p> </o:p> 10.0pt;font-family:Arial;color:navy'>Thanks for replying to me – I hope an email reply is OK for you<o:p></o:p> 10.0pt;font-family:Arial;color:navy'><o:p> </o:p> 10.0pt;font-family:Arial;color:navy'>I have to produce eps files out of INDD for a printing company that has equipment that can only accept separated EPS – one eps per color. Its all spot colors. Some of the inks are actually metallic foils – they go into a machine which makes dies that cut the foils. I don’t understand much about the back end, but its all more than 15 years old, and it only takes separated eps.<o:p></o:p> 10.0pt;font-family:Arial;color:navy'><o:p> </o:p> 10.0pt;font-family:Arial;color:navy'>One thing I’m investigating is whether its possible to dissect a composite EPS into its components – I can write a program to do this, if I can see the pattern in the eps<o:p></o:p> 10.0pt;font-family:Arial;color:navy'><o:p> </o:p> 10.0pt;font-family:Arial;color:navy'>Brian<o:p></o:p> 10.0pt;font-family:Arial;color:navy'><o:p> </o:p> 10.0pt;font-family:Arial;color:navy'><o:p> </o:p> <div> <font size=2 color=navy face=Arial>color:navy'>Brian Anderson <a href="BLOCKED::mailto:[email protected]" title="mailto:[email protected]">[email protected]</a> Phone +61 2 9943 1355 Fax +61 2 9943 1035 <u1:PLACE u2:st="on"><u1:CITY u2:st="on"><st1:City w:st="on"><u3:City u2:st="on"><u3:place u2:st="on"><st1:place w:st="on">Mobile</u3:place></u3:City></u1:CITY></u1:PLACE></st1:place></st1:City> +61 403 310055<o:p></o:p> </div> <div> <div class=MsoNormal align=center style='text-align:center'>face="Times New Roman"> <hr size=2 width="100%" align=center tabindex=-1> </div> font-family:Tahoma;font-weight:bold'>From:face=Tahoma> Olav Kvern [mailto:[email protected]] Sent: Tuesday, 26 February 2008 1:07 PM To: [email protected] Subject: Re: Separated EPS export from INDD<o:p></o:p> </div> 12.0pt'><o:p> </o:p> face="Times New Roman">A new message was posted by Olav Kvern in InDesign Scripting -- Separated EPS export from INDD Hi brianjanderson, There's not really a way to do this using export. You could do it by printing PostScript to disk and then processing the PostScript using Distiller, but, before we talk about that, tell me--why do you need to do this? Thanks, Ole <o:p></o:p> <div class=MsoNormal><span style='font-size:12.0pt'> <hr size=2 width=200 style='width:150.0pt' align=left> </div> face="Times New Roman">View/reply at <a href="http://www.adobeforums.com/webx?13@@.3c063ada/0">Separated EPS export from INDD</a> Replies by email are OK. Use the <a href="http://www.adobeforums.com/webx?280@@.3c063ada!folder=.eea52bc">unsubscribe</a> form to cancel your email subscription.<o:p></o:p> </div>

Hello, I purchased design premium 4.0 German Windows (LIZ 390232 from 22.02.2010) from my friend and wanted to installation it. However, the key code does not work. He has the PC is no longer, so he can not disable the product key. He loaded it, but onl

Hello, I purchased design premium 4.0 German Windows (LIZ 390232 from 22.02.2010) from my friend and wanted to installation it. However, the key code does not work. He has the PC is no longer, so he can not disable the product key. He loaded it, but only in Englisch (trial version?) Please help me for the next step. I have the license agreement in my hand.

Moving this discussion to the Downloading, Installing, Setting Up forum.
Jakobh53157856 before you begin the installation process please complete the transfer of license process to transfer the Adobe Creative software license you wish to utilize to your possession, You can find details regarding the transfer process at Transfer an Adobe product license.

Forcing OCSP instead of CRL

I need to check the signature status of a signed document. What I need to achieve is check the revocation information of the signing certificate through OCSP and show the result of that check. Optionally I am allowed to also do a CRL check and show the result of that check. The document is signed with a certificate that has an OCSP responder URL and a CRL location. The immediate parent certificate is imported into the LC Trust Store so there are no certificates between the signing certificate and the Trust Anchor.
No matter what I do, I seem to be unable to get the OCSP response / status in the result, I always get the CRL status / result.
The sequece of actions I am running is:
- purge the certificate cache through SOAP;
- purge the CRL cache through SOAP;
- invoke the verifyPDFDocument method through SOAP.
I have attached both the PDF I am verifying, a dump of the SOAP request I am sending and a dump of the SOAP response I am getting. (The SOAP response is stripped of some data in the CRL revocationInformation node since it was about 800KB for each occurence.)
What I am seeing on the network is that the LC server is doing an OCSP check first (screenshots of the request and response below) and then doing a CRL check (screenshot of the request below, the response is a bit big but is valid). That is something I don't understand, because as you can see from the SOAP request I am explicitly setting the crlOptionSpec to have a checkStyle of NoCheck.
I believe all these documents together make a self-contained testcase showing the behaviour I am experiencing. I hope somebody can tell me what I need to configure in the SOAP request to get the OCSP response in the verifyPDFDocument output instead of the CRL response.
OCSP request
OCSP Response
CRL request

In the UBBCONFIG file change the ISL -n switch to have the IP address of the host rather
than the host name. Another choice would be to use the the -H switch on the ISL, although
for what you want this would not be the preferred choice.
-Craig

PKI Design / Migration - Questions

Hello,
Our organization currently uses a single-tier enterprise root CA for issuing certificates; We are growing and I would like redo this design in accordance with MS Best practice.
I just have a few questions:
My original thought was to add an enterprise subordinate CA and decom the Enterprise root CA we currently have running but I am not sure if this possible or recommended as I am reading many articles stating that you should deploy a standalone root CA (offline)
then create a enterprise subordinate CA for issuing certificates.
If this is the case how would I migrate servers / users over to use the new PKI infrastructure without causing service disruptions?
Thank You

I just want to have some answers to give MGMT when they ask.
Here's your own answer:
...and I would like redo this design
in accordance with MS Best practice.
Brian gave you best practice.
1 X standalone root CA (off line) – for security
2 X issuing CA's - Enterprise subordinate CA:
2X - for redundancy
Enterprise – so that they use AD for certs, CRL, autoenrollment etc.
I would also add that if you will not be revoking existing certs issued by the old CA, you may increase CRL publication interval on the old CA from default one day to 99 years. This basically leaves you with static CRL and static CDP web site (you don't
need to publish CRL on the old CA each day).
http://blogs.technet.com/b/pki/archive/2012/01/27/steps-needed-to-decommission-an-old-certification-authority-without-affecting-previously-issued-certificates-and-then-switching-all-operations-to-a-new-certification-authority.aspx

PKI Design - ocsp vs delta CRLs, separating CRL hosting from issuing CAs

Similar Messages

Maybe you are looking for