Sysadmins LV
Vadims Podāns
Vadims Podāns
Microsoft Most Valuable Professional: Windows PowerShell
Protected by Copyscape DMCA Takedown Notice Search Tool
  • Home
  • Main blog
  • AD CS Partitioned CRLs - Design Strategies (part 2)

AD CS Partitioned CRLs - Design Strategies (part 2)

Hello S-1-1-0, here is a second part of an "AD CS Partitioned CRLs - A Comprehensive Guide" blog post series.

All posts in this series:

In this part, I will explain Partitioned CRL strategies and their behavior. I will focus on partition zero handling and partition assignment randomization.

Partitioned CRL Concept

Just a brief recap of previous post: revoked certificates are uniformly (or close to it) distributed across different partitions. The following figure shows basic partitioning concept with five partitions:

In this figure, we see: a request with ID = 5 is assigned to partition #5, ID = 6 is assigned to partition #1, ID = 7 to partition #2 and so on. CA automatically assigns request (and potentially issued certificate) to some partition on CSR submission event. Once assigned, certificate binding to partition cannot be changed. Then, when certificate is revoked, it is included in assigned partition, which is known in advance. If you have a custom policy module, you can clearly see bound CRL partition prior to issuing CA. Alternatively, you can see partition index when request is pending.

Every partition will result in a separate CRL file with distinct name, which adds partition index to file name. Without partitioning, CA would generate only one base CRL, with partitioning, CA will generate 6 base CRLs, each with unique name (5 partitions and 1 specialized, details in next sections). Same applies to delta CRLs. Since we know partition index before actual certificate issuance, we can embed an URL to assigned CRL partition in issued certificate's CDP extension.

Partitioned CRL isn't on or off feature, it is configurable by two main design strategies:

  1. Partition zero handling
  2. Partition index assignment algorithm

Next sections will provide a detailed description of each strategy, options and behavior.

Partition Zero Handling Strategies

In previous examples, I numbered partitions starting from index 1. These are so-called working partitions. CA will assign requests only to working partitions. In addition to that, CA maintains a specialized CRL in partition zero (at index [0]).

Partition Zero is Microsoft official term used in their technical documentation.

Let's dig into each configuration and see how partition zero is used.

Partition Zero — Aggregate (Type A)

By default, partition zero (at index [0]) is not a partition, it is reserved for aggregated (complete) CRL, that combines all serial numbers included in all partitions. Basically, same plain familiar CRL without any partitioning. The following figure shows how it looks like with 4 working partitions:

Partitions #1-4 are working partitions (where end entity certificates would appear) and partition #0 (zero) is aggregated, i.e. contain all revoked certificates from all working partitions. Although CA will start new partitions from scratch, partition zero will continue to grow with every revoked certificate, because it has to contain everything from previously revoked certificates and newly revoked certificates from all working partitions.

Partition Zero — Exclusive (Type B)

You can configure partition zero to act as a true partition, without aggregated (complete) CRL. In this case, CRL in partition zero will contain only a subset of revoked serial numbers, but unlike working partitions, partition zero will be specialized. The following figure shows this option (setup B):

Here we have the same setup with 4 working partitions. Partition zero (#0) is a partition, however CA will reserve it for its own use and will not include newly issued certificates in this partition. CA own uses are, but not limited to:

  1. Put auto-generated cross-certificates (Root CA only). Just to avoid potential confusion: CA Exchange while being special to CA, it is assigned to working partitions like regular certificate, not specialized partition zero.
  2. Place previously revoked certificates. When implementing partitioned CRLs, you already may have some revoked certificates. When marking partition zero as exclusive, CA will automatically copy already revoked certificates to partition zero, thus maintaining backward compatibility.

With this strategy, previous full CRL will be converted into a partition (with same name) and freeze. Further, only special certificates will be assigned to partition zero. Unlike the strategy with aggregate CRL (Type A), exclusive partition zero will stop growing. All newly issued certificates will be assigned to working partitions only.

Partition Zero Handling Summary

We learned that AD CS offers two CRL partitioning strategies which differ in how special partition zero is handled. It can be either, a classic full aggregate CRL, or migrated. Main difference is that in former strategy, CRL will continue to grow and will freeze in size with latter strategy. However, exclusive partition zero do not offer single complete CRL.

Both strategies implement backward compatibility with existing CA installations, which allows to migrate them to use partitioned CRLs.

Main question is: which strategy to choose?

There is no universal answer, but here are some thoughts you can think about before making decision:

  • A rule of thumb: do not use partitioned CRL until you need it or expect substantial CRL size growth.
  • Use aggregated CRL if aggregate CRL growth isn't a big concern. You still benefit from new partitions and smaller CRL buckets.
  • Use aggregated CRL if you use CRL-based OCSP server (Microsoft Online Responder, for example). CRL-based OCSP servers expect single complete CRL, not a bunch of smaller partitions.
  • Prefer aggregated CRL if CRL is manually installed on a third-party system. Like CRL-based OCSP servers, they may require single complete CRL.
  • Prefer exclusive zero partition if aggregate CRL is not required or its growth is a critical concern.

You can change Partition Zero handling any time. CA will reconstruct CRLs accordingly after publishing new CRL.

Partition Assignment Algorithm

Next strategy type (or dimension if you like) is how partition assignment is done within each partitioning type. The purpose of assignment algorithm is to make CRL partition sizes as uniform as possible. While each algorithm explained below offers uniform distribution under the hood, final CRL partitions are not guaranteed to be uniform in size, because it depends on actual revocation volume and pattern. Keep in mind this aspect.

AD CS provides two options how next CRL partition index is assigned:

  • Random (default)
  • Round-robin

Let's take a look into each partition assignment algorithm.

Random Partition Assignment (Type 1)

With random partition assignment, next partition index is not guaranteed to be sequential. Default behavior is to use random function with uniform (or close to it) distribution. The following figure shows an example of random partition assignment:

No predictability, but may be considered a more uniform algorithm from pure math standpoint.

Round-robin partition assignment (Type 2)

Alternatively, you can configure CRL partition index assignment to be round-robin as shown in the following figure:

CSR is sequentially assigned to each partition and then starts over after last partition is reached. This algorithm offers predictability in partition selection, however it doesn't necessary facilitate better uniform distribution in CRLs.

Random partition assignment summary

We learned that AD CS provides two CRL partition assignment algorithms, random and round-robin. Default is to use random function.

And obvious question: which one to choose?

Again, there is no universal answer, but I would recommend to stick with default one. If you find that some partitions has spikes, you may want to change current algorithm to another on a fly. Note that in early stages, when the set of revoked certificates is small, CRL partitions may face some excesses. A larger set is, better distribution properties you get. Do not change partition assignment algorithm until you get at least 1000 revoked certificates.

You can change partition assignment algorithm any time. CA will use new algorithm after service restart.

Strategy Summary

In this post, we explored two fundamental design strategies:

  • Partition zero handling. Default: aggregate CRL at partition zero.
  • Partition assignment algorithm. Default: random partition.

After combining the provided options, we can identify four CRL partitioning strategies:

  • A1 — aggregated CRL at partition zero, random assignment
  • A2 — aggregated CRL at partition zero, round-robin assignment
  • B1 — no aggregated CRL at partition zero, random assignment
  • B2 — no aggregated CRL at partition zero, round-robin assignment

I will use these codes in subsequent articles in this series to refer to particular partition design.

In next part, I will explain actual configuration elements and how exactly you can configure partitioned CRLs. So, stay tuned!

Share this article:

Comments:

Post your comment:

Please, solve this little equation and enter result below. Captcha image