Certificate Revocation Lists and Private Certification Authority

Question

All,

I have a few questions relating to Certificate Revocation Lists with Private Certificate Authority in play. We currently have a self signed CA that produces client certificates for access to our application. We are looking to implement a CRL, however a few test certs have already been issued and are in use. My questions are below (i've had difficulty pinning down a precise answer through my own research)

1. If I apply a CRL and distribution point to our Root CA now, will the already issued client certs automatically see that change and begin to look at the distribution point for revocation?
2. Can I use a https site to host my CDP or must it be http?
3. When I create the site that will host the Recovation files in IIS - is there anything particular settings required so that client certs checking it can update and check the revocation list?

Many Thanks,

Answer 1

1. Root certificate itself SHALL NOT have CRL Distribution Points extension, because:
   • root certificate revocation is not defined in any global standard.
   • many certificate chaining engines do not check root CA certificate for revocation. Trust is established through out-of-band explicit trust.

Instead, Root CA SHALL include CRL Distribution Points extension in the issued certificates.

2. CDP locations MUST use HTTP only. Otherwise you will run into a cyclic check (or egg and chicken problem): prior to access CDP, you need to check SSL certificate's CRL. This will direct to SSL-enabled CDP and the story repeats. In addition, CRL do not store any sensitive information and is already protected from tampering/altering via digital signature.

3. nothing special, except: Anonymous authentication must be allowed (because many certificate chaining engines cannot authenticate on web sites).