Hello
I was reading information about setting up a Offline Root CA here although it relates to 2008 I think it is still relevant for 2012 R2
Some of the information was a little confusing, for example
it said you should not setup a CDP or AIA for this offline Root CA.
However it then goes on to say set the CRL and Delta CRL to 1 year renewal interval and publish the CRL, as you will need to take this CRL and place it on (for example) your WEB Server CDP as detailed in the certs issued by the Online Sub CA.
So if you do not specify a CDP in the CAPolicy.inf file where does the CRL get put when selecting Public CTL, it is the same location you choose to place the CA Database and Log Files?
As I understand you need to take the CRL and the CA Cert (for the AIA) and publish these via the Sub CA latter on in the two tier offline/online PKI setup.
But that then leads me to a related question (if that is OK)
Now we have a Root CA which is used to sign the CSR from the Sub CA, the CRL from this Root CA is 1 year long. So what if you want to revoke he Sub CA Cert (hopefully not but you never know), the clients will have a CRL which state it is good for a whole year, and therefore why would the clients (let alone taking caching into account) find out the certs they have which were signed by the Sub CA (which was revoked) are not the be trusted/used?
Thanks again to everyone on this forum to helping me understand this complex subject
AAnotherUser__
AAnotherUser__