Skip to Content

GIAC GSLC: How to Configure Certificate Revocation Support for an Offline Root CA in Windows Server 2008?

By: Author Alex Lim

Posted on  - Last updated:

Categories Exam

Learn the steps to set up certificate revocation for an offline root CA in a Windows Server 2008 Active Directory environment, including configuring AIA and CDP settings.

Table of Contents

Question

You work as a Network Administrator for Infonet Inc. The company has a Windows Server 2008 Active Directory-based single domain single forest network. The functional level of the forest is Windows Server 2003. All client computers on the network run Windows XP Professional. You configure a public key infrastructure (PKI) on the network. You configure a root CA and a subordinate CA on the network. For security reasons, you want to take the root CA offline. You are required to configure the CA servers to support for certificate revocation. Choose the steps you will require to accomplish the task.
Select and Place:

Answer

  1. On the root CA, configure the AIA setting to point to a location accessible by the subordinate CA and clients, such as an HTTP or LDAP URL.
  2. On the root CA, configure the CDP setting to point to a location accessible by the subordinate CA and clients, such as an HTTP or LDAP URL.
  3. Regularly copy the CRL file from the root CA to the shared folder or location specified in the CDP settings.
  4. Regularly copy the AIA from the root CA to the share folder or location specified in the AIA settings.

Explanation

To configure the CA servers to support certificate revocation with the root CA offline:

  1. On the root CA, configure the AIA (Authority Information Access) setting to point to a location accessible by both the subordinate CA and clients, such as an HTTP or LDAP URL. This allows the subordinate CA and clients to retrieve the root CA certificate.
  2. On the root CA, configure the CDP (CRL Distribution Point) setting to point to a location accessible by the subordinate CA and clients, such as an HTTP or LDAP URL. This specifies where the CRL (Certificate Revocation List) will be published for clients to check the revocation status of certificates.
  3. Regularly copy the CRL file from the root CA to the shared folder or location specified in the CDP settings. This ensures the published CRL is up-to-date.
  4. Regularly copy the root CA certificate from the root CA to the share folder or location specified in the AIA settings. This keeps the root CA certificate available even with the root CA offline.

By configuring the AIA and CDP settings on the root CA to accessible locations and regularly publishing updated CRLs and the root CA certificate to those locations, you enable certificate revocation checking even with the root CA offline for security. The subordinate CA and clients can retrieve what they need from the designated AIA and CDP locations.

GIAC GSLC certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the GIAC GSLC exam and earn x certification.