Share via

PKI - Certification Authority (CA): Best Practice regarding CRL and OCSP propagation

49885604 215 Reputation points
2024-04-11T22:15:48.65+00:00

Hi everyone,

I would need to know if there is a Best Practice regarding the CRL and Delta CRL update time, as well as the OCSP propagation and update time.

Regarding the CRL I have the settings as per the attached images.

Kind regards and thanks for your support,

Alessio

CRL.png DeltaCRL.png EnterprisePKI-Options.png

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
0 comments
Accepted answer
  1. Anonymous
    2024-04-12T01:55:33.27+00:00

    Hello 49885604,

    Thank you for posting in Q&A forum.

    Best Practice regarding the CRL and Delta CRL update time, as well as the OCSP propagation and update time.
    A: The suggested CRL update interval is 1week or 2 weeks and Delta CRL update interval is 1 day.
    User's image

    And the suggested OCSP update interval is 15 minutes.

    User's image

    For the LDAP and HTTP locations in the Base CRLs window, clear the Refresh CRLs based on their validity periods. In the Update CRLs at this refresh interval (min) field, enter 15, and then click OK.

    Reference.

    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)

    https://mjcb.io/blog/2020/03/09/certificate-authority-windows-server-2019-part-4/#documentTop

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 51,450 Reputation points MVP Volunteer Moderator
    2024-04-11T22:38:37.8033333+00:00
    1. Regular Updates: CRL and Delta CRL: Ensure that CRLs and Delta CRLs are updated regularly to include the latest information about revoked certificates. The update frequency should align with the organization's risk tolerance and operational requirements. OCSP: Propagate OCSP responses promptly to provide real-time validation of certificate status. OCSP responses should be updated frequently to reflect changes in certificate status, minimizing the window of exposure to potential security risks.
    2. Optimized Update Intervals: Balance update intervals to minimize latency while avoiding excessive network bandwidth consumption and server load. Consider factors such as the size of the certificate authority (CA) infrastructure, the volume of certificate issuance and revocation events, and the distribution of clients requiring validation services. Use shorter update intervals for critical systems and high-value certificates, such as those used for authentication, digital signatures, and sensitive data encryption.
    3. Automation and Monitoring: Implement automated processes for CRL and OCSP generation, propagation, and distribution to minimize manual intervention and ensure timely updates. Monitor CRL and OCSP update processes closely, leveraging logging and alerting mechanisms to detect and address any issues or failures promptly.
    4. Scalability and Redundancy: Design the CRL and OCSP infrastructure to scale dynamically in response to changes in certificate volume and usage patterns. Employ load balancing and distributed caching mechanisms to handle increasing request loads effectively. Implement redundancy and failover mechanisms to ensure high availability and resilience against server failures or network disruptions.
    5. Optimized OCSP Stapling: Utilize OCSP stapling, a mechanism where the server includes a digitally signed OCSP response along with the SSL/TLS certificate during the handshake process. This approach reduces latency and improves privacy by eliminating the need for clients to query the OCSP responder separately. Configure servers to refresh stapled OCSP responses periodically to ensure that clients receive up-to-date information about certificate status during subsequent connections.
    6. Compliance and Security Audits: Regularly review and update policies and procedures related to CRL and OCSP management to align with industry best practices and regulatory requirements. Conduct periodic security audits and vulnerability assessments to identify and remediate any weaknesses or vulnerabilities in the CRL and OCSP infrastructure.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.