Maksim
Maksim 28.11.2020 21:15 (GMT+2) I’m moving!

Thanks a lot for the work you've done, Vadim!

Good luck in your new job.

Vadims Podāns
Vadims Podāns 26.11.2020 13:10 (GMT+2) How ThisUpdate, NextUpdate and NextCRLPublish are calculated (v2)

General recommendation is between 6-9 months. Make sure that your web server properly implements ETag and MaxAge HTTP headers. When configured (see this whitepaper: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee619730(v=ws.10)?redirectedfrom=MSDN), clients whill periodically poll HTTP server if there is new CRL without actually downloading the CRL and force CRL download when it is updated on a server. With this configuration 6-12mo CRLs are enough reliable.

Rafał
Rafał 26.11.2020 12:50 (GMT+2) How ThisUpdate, NextUpdate and NextCRLPublish are calculated (v2)

I have a RootCA with HSM, I have CRLs published every 3 months, this server is offline, turned off, I only turn on for the period of CRL publication, I wonder what is the best practice with publishing CRL on RootCA, the period every 3 months is a bit troublesome, the servers are in a different city, can this period be extended, e.g. 6 months or once a year and what is the real impact on PKI, what is the best practice?

Vadims Podāns
Vadims Podāns 17.11.2020 17:03 (GMT+2) Designing CRL Distribution Points and Authority Information Access locations

> my hypothesis concerns the algorithm

this is not correct. CRL signature algorithm doesn't relate to algorithm used in issued certificate. Algorithm for issued certificate is chosen by client and algorithm used to sign CRL depend on CA. Your configuration is supposed to work and you have to debug it on client. For example, using "certutil -verify -urlfetch" command.

> is it possible to generate an additionnal CRLs (a delta CRL is not useful in this case) with ECDSA signing/hash algorithm

it is not possible. CA must have ECC key in order to create ECDSA signatures.

Romain
Romain 17.11.2020 16:51 (GMT+2) Designing CRL Distribution Points and Authority Information Access locations

Hi Vadims,

My SubCA uses "based on an RSA certificate" generates both RSA (windows) and ECDSA certificates (specific devices). It generates a CRL/delta CRL using  signing/hash algorithm SHA384RSA/SHA384.

My problem is that the specific devices do not accept the CRL and I don't know why, my hypothesis concerns the algorithm.

Is it possible to generate an additionnal CRLs (a delta CRL is not useful in this case) with ECDSA signing/hash algorithm for these specific devices ?

1) Not necessary, it's supposed to work

2) No I have to create a specific subCA