Hello, my organisation currently has a very new PKI environment. It is a two-tier, offline root CA. 7000 users. I have come into the organisation after original test PKI was built, and is starting to be used. I am curious as to what changes need to be made
to meet best practice as there seems to be some potential problems.
Currently PKI is used for all client pc cert (windows xp + 7), server cert (2003 + 2008), internal web server certificate, and very small amount of users use encryption. Organisation also wants to add NDES for android/apple devices, VPN at a later date.
Im a little confused as to whether this qualifies as a 100% internal PKI and an existing internal non web resolvable domain in AIA/CRL/OCSP records will be acceptable ?
Screenshot of PKI environment here:
http://i49.tinypic.com/x3frl4.png
I have some questions so far:
- I read that Root CA should not include AIA/CDP record, using CAPolicy.inf restriction. I may be confused but based on screenshot above I am uncertain, does this appear correctly configured ?
- I am unsure about the CRL order for HTTP #1 vs LDAP #2. There is some discussion in this article.http://technet.microsoft.com/nl-nl/library/cc776904(WS.10).aspx What do you think, should LDAP be #1 order instead ?
- AIA/CDP location is currently configured using internal domain name http://mycompany.internal. Whereas, best practice seems more common to use an externally resolvable dns record: http://pki.domain.com/ ? Is there any immediate problem using non externally resolvable record ? I assume fixing any of these problems means re-issue of cert's. I am really confused whether anything needs to be externally resolvable since all our use case is really on internally accessable server, for example even vpn so is there a potential scenario where internal resolving AIA/CDP will really create a problem here ?
- Would like to add OCSP in HA configuration also. From what I read it seems best practice is to use OCSP array, with IP load balancing on seperate server to Subordinate Issuing CA ? I am just struggling to understand why a separate server is recommended for OCSP, maybe DoS attack or IIS vulnerability, is there any other reason for this since it will create extra complexity in the environment ?
- Is it a good idea to also move CRL to separate server from Subordinate Issuing CA, potentially using the same server as the new OCSP server for CRL and leave only web enrollment role installed on Issuing CA for non auto enrol capable devices ?
- What is the cleanest method of fixing these problems and adding new OCSP extension without creating a massive revoked CRL list ? Would update AIA/CSP and then renew Subordinate CA creating new CRL database be a good method ? Encryption is really the only
use I am concerned about breaking, the rest can be easily fixed.
Thank you :)