Hello S-1-1-0, here is the fourth part of an "AD CS Partitioned CRLs - A Comprehensive Guide" blog post series.
All posts in this series:
- Part 1 - Introduction
- Part 2 - Design Strategies
- Part 3 - Configuration Components
- Part 4 - Recipe Guide (current)
- Part 5 - Partitioned CRL API and Events
In previous post, I provided information about partitioned CRL design, description and configuration commands. This blog post will summarize this knowledge by providing quick guides to configure all partitioning strategies (A1, A2, B1 and B2) which you can use as a recipe template. Refer to Part 2 in this series for additional information aboud different CRL partitioning strategies.
Recipe Guide
This section will include configuration required by all subsequent sections.
Command examples include
CRLPublicationURLsconfig setting, which is provided as an example to point how<CRLPartitionIndex>variable is defined and new flags in front of HTTP URL. Adapt URLs to match your environment.
A1 Strategy Recipe (recommended)
Goal: implement partitioned CRL with aggregated CRL and random partition assignment algorithm.
Use the following commands to enable and configure A1 strategy with 10 working partitions:
certutil -setreg ca\CRLFlags +CRLF_ENABLE_CRL_PARTITION certutil -setreg ca\CRLMaxPartitions 10 certutil -setreg ca\CRLPublicationURLs "65:C:\Windows\system32\CertSrv\CertEnroll\%3<CRLPartitionIndex>%8%9.crl\n65:\\fileserver\CertData\%3<CRLPartitionIndex>%8%9.crl\n134:http://cdp.example.com/CertEnroll/%3<CRLPartitionIndex>%8%9.crl" Restart-Service CertSvc certutil -CRL
A2 Strategy Recipe (recommended)
Goal: implement partitioned CRL with aggregated CRL and round-robin partition assignment algorithm.
Use the following commands to enable and configure A2 strategy with 10 working partitions:
certutil -setreg ca\CRLFlags +CRLF_ENABLE_CRL_PARTITION certutil -setreg ca\CRLMaxPartitions 10 certutil -setreg ca\CRLCurrentPartition 1 certutil -setreg ca\CRLPublicationURLs "65:C:\Windows\system32\CertSrv\CertEnroll\%3<CRLPartitionIndex>%8%9.crl\n65:\\fileserver\CertData\%3<CRLPartitionIndex>%8%9.crl\n134:http://cdp.example.com/CertEnroll/%3<CRLPartitionIndex>%8%9.crl" Restart-Service CertSvc certutil -CRL
B1 Strategy Recipe
Goal: implement partitioned CRL without aggregated CRL and random partition assignment algorithm
Use the following commands to enable and configure B1 strategy with 10 working partitions:
certutil -setreg ca\CRLFlags +CRLF_ENABLE_CRL_PARTITION certutil -setreg ca\CRLFlags +CRLF_PARTITION_ZERO_EXCLUSIVE certutil -setreg ca\CRLMaxPartitions 10 certutil -setreg ca\CRLPublicationURLs "65:C:\Windows\system32\CertSrv\CertEnroll\%3<CRLPartitionIndex>%8%9.crl\n65:\\fileserver\CertData\%3<CRLPartitionIndex>%8%9.crl\n134:http://cdp.example.com/CertEnroll/%3<CRLPartitionIndex>%8%9.crl" Restart-Service CertSvc certutil -CRL
B2 Strategy Recipe
Goal: implement partitioned CRL without aggregated CRL and round-robin partition assignment algorithm
Use the following commands to enable and configure B1 strategy with 10 working partitions:
certutil -setreg ca\CRLFlags +CRLF_ENABLE_CRL_PARTITION certutil -setreg ca\CRLFlags +CRLF_PARTITION_ZERO_EXCLUSIVE certutil -setreg ca\CRLMaxPartitions 10 certutil -setreg ca\CRLCurrentPartition 1 certutil -setreg ca\CRLPublicationURLs "65:C:\Windows\system32\CertSrv\CertEnroll\%3<CRLPartitionIndex>%8%9.crl\n65:\\fileserver\CertData\%3<CRLPartitionIndex>%8%9.crl\n134:http://cdp.example.com/CertEnroll/%3<CRLPartitionIndex>%8%9.crl" Restart-Service CertSvc certutil -CRL
Verify Partitioned CRLs
After enabling and configuring partitioned CRLs, you can verify if everything is working using Certification Authority MMC snap-in (certsrv.msc):
- Review created CRLs
Right-click on Revoked Certificicates, select Properties and switch to View CRLs tab, you should see multiple CRLs and a new column in a grid called "Partition Index" like this:
- View RequestID=PartitionIndex mapping in CA database
Select Issued Certificates or Revoked Certificates folders to enter CA database view. In menu, select View -> Add/Remove Columns…. In Available Columns, you should see a new available column called "CRL Partition Index":
Add this column to view, move it to the top and press Ok. You should see new column and requests with assigned CRL partition. Initially, this value will be 0 for all existing requests. No matter what strategy you choose, unassigned requests will be automatically assigned to partition zero. However every new certificate request will be assigned to non-zero partition:
If you see that certificates are issued and assigned to new partitions, then your configuration is working. You can find that in my example, CRL partitions are ssigned sequentially, which means I'm using A2/B2 strategy with round-robin partition assignment.
Best Practices and Recommendations
This section contains a summary of best practices and recommendations. Though this list is not exhaustive, it is a good baseline when making decision.
Note that these recommendations are my own, not provided by Microsoft, and are based on my understanding of the technology and past experience in PKI field.
- Use partitioned CRLs if you need them. While it is reversible in configuration, but once enabled and at least one certificate is assigned to a partition, you cannot move back to single CRL without replacing all certificates issued with partitioned CRLs.
- Ensure that your are NOT using LDAP URLs. They are not supported.
- Use A1 and A2 partitioning strategies only, i.e. reserve partition zero to aggregated (complete) CRL for compatibility with external systems.
- Use reasonable amount of partitions. Upper limit for partitions is 65535 (0xFFFF in hex). Start with something between 5-10 if estimated revocation volume is unknown. Or other meaningful (or realisitc) number (say, 20, 50) when revocation volume can be estimated and you need to fit single partition size threshold. If needed, you can increase partition count, but not decrease.
- Estimate the number of files. Partitioned CRLs may dramatically increase the number of total CRLs to maintain on a file system and ensure that your CRL monitoring solution can handle this number. Use the following equation to estimate the number of CRL files:
2 * KeyCount * (PartitionCount + 1), where 2 -- is the number of CRL types (Base and Delta), KeyCount is the number of CA signing keys and PartitionCount is the number of working partitions and one special partition zero.
Post your comment:
Comments: