Hello world! Here is the third part of an "AD CS Partitioned CRLs - A Comprehensive Guide" blog post series.
All posts in this series:
- Part 1 - Introduction
- Part 2 - Design Strategies
- Part 3 - Configuration Components (current)
- Part 4 - Recipe Guide
- Part 5 - Partitioned CRL API and Events
In this part, I will explain Partitioned CRL configuration elements and their behavior.
In general, partitioned CRL consist of several configuration elements that MUST be configured in single batch. CA service will fail if any of mandatory configurations is not complete. Here is the list of all configuration options with indication which are mandatory:
- Global enablement switch (mandatory)
- Design strategy type
- CRL partition count (mandatory)
- Partition assignment algorithm
- CDP extension configuration (mandatory)
- Partition suspension
The following sections will go through each configuration element.
Enable Partitioned CRL
Partitioned CRL in AD CS is optional and has a global switch to enable or disable the feature. Use the following command to enable CRL partitioning at CA level:
certutil -setreg ca\CRLFlags +CRLF_ENABLE_CRL_PARTITION
Use the following command to disable CRL partitioning:
certutil -setreg ca\CRLFlags -CRLF_ENABLE_CRL_PARTITION
You SHALL NOT disable partitioned CRL once at least one certificate is issued using partitions. This is because CA will no longer generate and update partition-specific CRLs. Existing URLs pointed to partitions will fail and revocation checking function will fail to determine revocation status of the certificate.
Enabling CRL partitioning itself does not change anything, it is just a global switch.
Choose design atrategy type
As we discussed in part 2, AD CS provides two CRL partitioning strategies, with or without aggregated CRL. By default, partition zero is reserved for complete CRL and no configuration is needed. Use the following command to enforce aggregated CRL (Type A):
Certutil -setreg ca\CRLFlags -CRLF_PARTITION_ZERO_EXCLUSIVE
Use the following command to disable aggregated CRL and freeze partition zero (Type B):
Certutil -setreg ca\CRLFlags +CRLF_PARTITION_ZERO_EXCLUSIVE
Configure partition count
It is necessary to define the partition count. By increasing the number of partitions, you reduce the average size of each partition, but increase the amount of CRLs to maintain. And vice versa, by decreasing the number of partitions, you increase average partition size and reduce the amount of CRLs. Use the following command to configure the number of partitions:
Certutil -setreg ca\CRLMaxPartitions 10
This command will create 10 partitions. If you use aggregated CRL, another partition (zero) will be allocated for complete CRL. Minimum value must 1 and maximum value must be less or equal to 65535 (0xFFFF).
After changing the number of partitions and restarting CA service, you MUST reprublish all CRLs. This is necessary, because new CRLs has to be created before request can be assigned to a newly created partition
How many partitions I need?
There is no "magic" number, it really depends on your revocation volume. Keep a good balance between partition count and partition size. A number between 5-10 is a good start point. However, you can use some rough math:
- Minimal CRL entry size is about 40 bytes (given 20 bytes serial number)
- Maximum practical CRL entry size is 55 bytes (given 20 bytes serial number and revocation reason)
So 10000 revoked certificates will result in CRL of size between 400-600kb.
Choose initial partition count wisely. Moving forward, you can increase this number when needed. However you cannot decrease this number without consequences. If you decrease this number, CA will not generate CRLs for previously available partitions and any certificate assigned to no-longer-existing partitions will fail revocation checks, because no CRL is available. If you need to reduce the number of active partitions, use partition suspension (see below) which will stop the use of N first partitions.
Configure partition assignment algorithm
As we discussed in part 2, AD CS provides two CRL partition assignment algorithms, we can use random (default) or round-robin partition assignment algorithm. Use the following command to enforce random (default) partition assignment algorithm:
Certutil -delreg CA\CRLCurrentPartition
Use the following command to force round-robin algorithm:
Certutil -setreg ca\CRLCurrentPartition 1
The number in arguments defines the CRL partition index to start round-robin algorithm with after next CA service start. If the value is zero or exceed the number of partitions, CA fill default to 1.
Configure CDP extension
Partitioned CRL requires CDP extension changes:
- Inclusion of
<CRLPartitionIndex>in all CDP URLs - HTTP URL inclusion in IDP extension
LDAP URLs cannot be used with Partitioned CRLs. I would recommend to read Designing CRL Distribution Points and Authority Information Access locations about CDP/AIA URL designing best practices and why you should move away from LDAP URLs.
The following sections describe needed changes related to CDP extension configuration.
Inclusion of <CRLPartitionIndex> in all CDP URLs
You have to include dynamic <CRLPartitionIndex> variable in ALL CDP URLs (including FILE://, and HTTP:// protocols) to generate unique file name for each partition. In runtime, this variable will be substituted with _PartitionXXXXX where "XXXXX" is the zero padded, 5-digit decimal representation of the CRL partition for which the CRL is being generated. For partition zero, <CRLParttionIndex> variable is substituted with empty string. It is similar to <CRLNameSuffix> variable behavior, which substitutes CA key index with a number in parenthesis, or empty string for key at index [0].
Note, that only file name must include <CRLPartitionIndex> variable, not other parts of the URL. I would recommend to put <CRLPartitionIndex> variable in front of <CRLNameSuffix>, e.g. in CA MMC, file name would look like:
http://cdp.example.com/CertEnroll/My-ca-name<CRLPartitionIndex><CRLNameSuffix><DeltaCRLAllowed>.crl
In registry, this file name will have the following representation:
134:http://cdp.example.com/CertEnroll/My-ca-name<CRLPartitionIndex>%8%9.crl
Notice that in registry CDP variables often use numeric variables, such as%3,%8,%9, etc. This is not the case with the new<CRLPartitionIndex>. In both, MMC GUI and registry, this variable will look identically without variable substitution.
The number in front represents a combination of URL publication flags:
| Checkbox Name | Numeric Value |
|---|---|
| Publish CRLs to this location. | 1 |
| Include in the CDP extension of issued certificates. | 2 |
| Include in CRLs. Clients use this to find Delta CRL locations. | 4 |
| Include in all CRLs. Specifies where to publish in AD DS when publishing manually. | 8 |
| Publish Delta CRLs to this location. | 64 |
| Include in the IDP extension of issued CRLs. | 128 |
The URL template above will generate the following sample Base CRL file names (URL part is omitted for brevity):
| File Name | Conditions | Notes |
|---|---|---|
| My-ca-name.crl | Base CRL, at key index 0, partition index 0 | In A1 and A2 strategies will represent aggregate CRL |
| My-ca-name(2).crl | Base CRL, at key index 2, partition index 0 | In A1 and A2 strategies will represent aggregate CRL |
| My-ca-name_Partition00008.crl | Base CRL, at key index 0, partition index 8 | |
| My-ca-name_Partition00003(1).crl | Base CRL, at key index 1, partition index 3 |
And sample Delta CRL URLs:
| File Name | Conditions | Notes |
|---|---|---|
| My-ca-name+.crl | Delta CRL, at key index 0, partition index 0 | In A1 and A2 strategies will represent aggregate CRL |
| My-ca-name(2)+.crl | Delta CRL, at key index 2, partition index 0 | In A1 and A2 strategies will represent aggregate CRL |
| My-ca-name_Partition00008+.crl | Delta CRL, at key index 0, partition index 8 | |
| My-ca-name_Partition00003(1)+.crl | Delta CRL, at key index 1, partition index 3 |
HTTP URL inclusion in IDP extension
Partitioned CRL feature requires that at least one HTTP URL published in CDP extension of issued certificates MUST be included in Issuing Distribution Points (IDP) CRL extension. IDP extension defines CRL retrieval locations and their scope, such as whether it contains only CA, End-entity certs, whether CRL is indirect or not. No specific extension content configuration is needed. It is sufficient to include at least one URL in IDP extension, but you can include all HTTP URLs in IDP extension. This can be done by checking "Include in the IDP extension of issued CRLs" checkbox in HTTP URL properties:
Partition suspension
In some cases, you may want to temporarily freeze some partitions by suspending them. CA will not assign any CSR to suspended partition and will use only active partitions. You cannot suspend arbitrary partition, instead, you can suspend a number of partitions at the beginning. For example:
Certutil -setreg CA\CRLSuspendedPartitions 3
Will suspend partitions at index 1, 2 and 3. If the total number of working partitions is 5, then CA will use only partitions #4 and #5 for assignment as shown in the following figure:
Use the following command to unlock all working partitions (except partition zero):
Certutil -delreg CA\CRLSuspendedPartitions
Summary
In this post, I explained CRL partitioning configuration options in Microsoft AD CS. In next post, I will provide ready-to-use recipes to implement each strategy and configuration guide. Stay tuned!
Post your comment:
Comments: