Building a CA Hierarchy: Part Oops. How I Screwed Up

Tags: CA, PKI, Security, Windows Server

This is part Oops of the Building a CA Hierarchy series. If you're just starting, you might want to read the other parts:

Part 1. Building the Root CA
Part 2. Configuring the Root CA
Part 3. Building the Enterprise CA
Part 4. Configuring the Enterprise CA
Part Oops. How I Screwed Up

In the first four parts of my series on configuring Windows 2003 Certificate Authorities I configured the AIA and the CDP as shown here:


Turns out there's one major problem with this. When you renew the CA certificate, the AIA and CDP break.

The fix is to change the configuration so that for the AIA, we include the CertificateName variable in each path (in the same place in each file name); for the CDP, we include the CRLNameSuffix variable. Each of these adds the certificate number to the path.

My new AIA paths for Certificate #1 will therefore be:

  • for the root CA
  • for the first CA
  • for the second CA

The CRL paths will have the same formats:

  • for the root CA
  • for the first CA
  • for the second CA

To get around the need to update old certificates, I continue to publish the old CRL to the old path name (it's just a file copy).

No Comments