While working on a PKI deployment for a customer, and I came across something that I haven’t found published anywhere. Actually, quite a few things! Particularly, in this post I will be referring to publishing the CRL Distribution Point on a separate Web Server. Going by Best Practices, this is the desired configuration for publishing CRL’s.
In this design, it is a Two-Tier PKI. There is an offline Root CA and 2 Subordinate Issuing CA’s. The CDP and AIA are published redundantly on two dedicated and load balanced CDP Web Servers in the DMZ. The certificates and CRL’s are xcopy’d from a Scheduled Task every 5 minutes from the Sub CA’s over to the CDP Web Servers. This way, the PKI never traverses the network.
Initially, we planned on using some existing Web Servers to reduce the footprint and overhead. What I discovered was something small and simple, that I did not anticipate. The existing IIS Servers use HTTPS. CRL’s cannot be accessed over HTTPS, only HTTP. To use the existing IIS Servers to include HTTP access would highly increase the risk of an attacker connecting to these servers. Fortunately, we decided to dedicate new Web Servers for other reasons before this information came about. I’m glad this decision was made, or I would have burned a lot of time, money, and effort by not being aware of this small, yet large caveat.
I’d assume people who may be absolute PKI veterans would have likely known about this. For me, and many others, this information may be beneficial to save you from multiple issues that will arise from this. I will be posting some other good information I’ve came across during my recent PKI deployments.