Implications of Root CA without CRL

certificate-authority pki crl
5,589

If you're willing to scrap the root CA completely the event that it's used to issue a bad certificate, or an issued certificate is compromised, then it should be no problem.

If the certificate doesn't specify CRL distribution points, then (as far as I'm aware) browsers and other certificate validators should have no qualms about validating the certificate.

Even if an unreachable CDP is specified, browsers are very.. lax about allowing the certificate anyway - this is why the recent certificate authority compromises have prompted OS and browser vendors to issue patches blacklisting the certificates, instead of just trusting browsers to check the CRL properly.

Share:
5,589
Josh
Author by

Josh

Updated on September 18, 2022

Comments

  • Josh
    Josh almost 2 years

    I'm currently setting up a PKI for my company and while I have come up with a good layout and planned the overall policy of certificate issuance, I'm still puzzled by what role the CRL plays.

    By looking at other root CA certificates installed in browsers, we concluded that we could go without a revocation list for our root CA.

    We also based it on the fact that our certificate chain will be installed in strictly firewalled and closed environments on our customer sites, which means retrieving the CRL from our HTTP site won't work.

    Is it a bad idea not to include a CRL in the root? And would applications (IIS, IE, Firefox) behave badly or need additional configuration to work right?

    I'm aware that by not having CRL's, I lose the ability to revoke a certificate, but this is currently not an issue. The question concerns the root, the subordinate CA would, or could, have a CRL, depending on the Class (Class 1 = production, Class 3 = testing etc.) according to our CP.

    • MrGigu
      MrGigu over 12 years
      I'm wondering what you gain by not having a CRL though. They're no work to set up and no work to maintain...
    • MrGigu
      MrGigu over 12 years
      Ahh, ok yeah I understand. You did hint at that in your question, I guess I just didn't pick up on it.
  • Josh
    Josh over 12 years
    Do you reckon that we can ignore the unreachable CDP in these closed environments, or would it from a securty point of view be worse, or seem less professional to not include them at all?
  • ravi yarlagadda
    ravi yarlagadda over 12 years
    I'd avoid including them at all - some browsers do whine about being unable to check revocation status if there's a CDP advertised, plus they'll have a bunch of failed requests that they might notice in their firewall logs.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Group security permissions for certificate template not working
How to publish a CRL for an internal Windows certification authority?
Revocation status of DC can't be verified
Removing LDAP from CDP & AIA in a Microsoft PKI
Certificate revocation check fails for non-domain guest in spite of accessible CRL
OpenSSL error while loading CRLnumber
Do web Servers send the certificate chain to the Web Client?
How do I issue multiple certificates for the same Common Name?
ADCS - How can I diagnose the exact reason a certificate request was denied by a policy module?
Found CRL is expired - revoking all certificates until you get an updated CRL