Thanks a lot for the work you've done, Vadim!
Good luck in your new job.
General recommendation is between 6-9 months. Make sure that your web server properly implements ETag and MaxAge HTTP headers. When configured (see this whitepaper: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee619730(v=ws.10)?redirectedfrom=MSDN), clients whill periodically poll HTTP server if there is new CRL without actually downloading the CRL and force CRL download when it is updated on a server. With this configuration 6-12mo CRLs are enough reliable.
I have a RootCA with HSM, I have CRLs published every 3 months, this server is offline, turned off, I only turn on for the period of CRL publication, I wonder what is the best practice with publishing CRL on RootCA, the period every 3 months is a bit troublesome, the servers are in a different city, can this period be extended, e.g. 6 months or once a year and what is the real impact on PKI, what is the best practice?
> my hypothesis concerns the algorithm
this is not correct. CRL signature algorithm doesn't relate to algorithm used in issued certificate. Algorithm for issued certificate is chosen by client and algorithm used to sign CRL depend on CA. Your configuration is supposed to work and you have to debug it on client. For example, using "certutil -verify -urlfetch" command.
> is it possible to generate an additionnal CRLs (a delta CRL is not useful in this case) with ECDSA signing/hash algorithm
it is not possible. CA must have ECC key in order to create ECDSA signatures.
My SubCA uses "based on an RSA certificate" generates both RSA (windows) and ECDSA certificates (specific devices). It generates a CRL/delta CRL using signing/hash algorithm SHA384RSA/SHA384.
My problem is that the specific devices do not accept the CRL and I don't know why, my hypothesis concerns the algorithm.
Is it possible to generate an additionnal CRLs (a delta CRL is not useful in this case) with ECDSA signing/hash algorithm for these specific devices ?
1) Not necessary, it's supposed to work
2) No I have to create a specific subCA
© 2008 - 2020 - Sysadmins LV. All rights reserved