We have an issuing CA with the following CDPs: #1 LDAP of the issuing CA, #2 alias to internall HTTP location, #3 alias to external HTTP location. As well as the following DeltaCRLs: #1 LDAP of the issuing CA, #2 alias to internall HTTP location, #3 alias to external HTTP location. So the CDP and CRL locations are the same and in the same order. Bot the internal and external aliases currently point to the same locationm, which is our CRL server.
We have edge networks that use RODCs and we want to put a new issuing CA into these sites. (I had a similar question on this, shown here: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/42578b2f-3fc4-4370-a893-4a579833fc0c but this question is more specific, so I started a new thread) This edge network does not have access into the internal corporate network, unless we open firewall ports.
Basically, I'm trying to determine if we need an additional CRL in each of the edge network sites, or if we can get away without using one.
If we only put the issuing CA out in the edge networks, the CDP/CRL locations would still be #1 LDAP of issuing CA in the edge network, #2 alias to internal HTTP CRL location, #3 alias to internal HTTP CRL location. This would still work correct? But just wouldn't have any CRL redundancy, as it would completely depend upon the LDAP CDP/CRL. Additionally, this reliance upon LDAP would mean that non-domain joined systems (and non-windows systems) would not be able to use it? Is that all correct?
Assuming the above is correct. Could we then open up port 443 from the edge networks to the internal CRL location (CRL #2 and #3) to create this redundancy once more, and allow non-domani/windows systems to check the CDP/CRL?