Offline Root CA’s require periodic maintenance

In most environments where an offline Root CA is used, it must come back online once every 7 months to provide the Subordinate CA’s with an update CRL list. If this does not happen, the Subordinate CA will stop issuing certificates. The actual CA service on the Subordinate will no longer startup and the error message will be “The revocation function was unable to check revocation because the revocation server was offline”

I recommend performing the following steps every 6 months (to allow for a 30 day cushion)

1. Power up the Offline Root CA

2. On the Offline Root, run this command:
c:\windows\system32\certsrv\certenroll\certutil –crl

3. The command above will re-issue the CRL. Now copy the CRL from the c:\windows\system32\certsrv\certenroll directory to the Subordinate Issuing CA

4. The next step is to install the CRL into the Subordinate CA with this command:

Certutil –addstore CA <name of file>

CA best practices and maintenance procedures are located here:
http://technet.microsoft.com/en-us/library/cc782041(v=ws.10).aspx

Leave a Reply