AD CS: The CRL publication interval for a stand-alone root CA should be at least 30 days
Applies To: Windows Server 2008 R2, Windows Server 2012
This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Certificate Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.
Operating System |
Windows ServerĀ® 2008 R2 and Windows ServerĀ® 2012 |
Product/Feature |
Active Directory Certificate Services |
Severity |
Warning |
Category |
Configuration |
Issue
To enhance security, a root certification authority (CA) should remain offline except when needed to issue or renew a certificate. When a root CA is offline, certificate revocation list (CRL) publication intervals should be extended beyond the default seven-day period.
The intention of keeping a stand-alone root CA offline is to reduce its exposure to security risks. Deployment as an offline CA is typically appropriate only for a stand-alone root CA because of the greater relative value of a root CA and because root CA management tasks can be performed infrequently. One of the management tasks that require the root CA to be online is CRL publication.
Impact
An offline or stand-alone CA may not be able to automatically publish updated CRLs. If updated CRLs are not published to their CRL distribution points, revocation checks on certificates issued by the CA may fail.
Resolution
Use the Certification Authority snap-in to set the CRL publication interval to 30 days or longer.
To configure the CRL publication interval
On the CA, open the Certification Authority snap-in.
In the console tree, double-click the root CA to display certificate containers.
Right-click the Revoked Certificates container, and click Properties.
Next to CRL publication interval, type a number that is 30 or larger, and select Days.
Click OK to save changes.
Additional references
For additional details about CRL publication, see Revoking certificates and publishing CRLs.
Premier Support customers can use an intensive PKI Health Check to review this issue in addition to a thorough evaluation of other issues. For more information, see Public Key Infrastructure Server Health Check Datasheet.