Certificate Revocation Considerations

By Author: kayla
Total Articles: 128
Comment this article

The certificate revocation considerations are:

? Certificates can be revoked, but not all applications check revocation lists. In addition, many things can delay the distribution and downloading of new CRLs.

? Remember to design validity periods based on finding the sweet spot between

minimizing exposure and opportunities for compromise and allowing for the

administrative tasks that might be necessary during renewal. Where auto-enrollment reduces the administrative task of renewal, time frames can be shorter, but

keep in mind that auto-enrollment means fewer certificates will expire on their

own if the issuing CA is still available on the network.

? An additional decision must be made at CA renewal time. When a CA is renewed,

a new key pair can be generated or the old pair can be reused. Remember the reason for CA certificate renewal: the minimizing of opportunity for key compromise.

Creating a new key pair is a good way to continue limiting opportunities, but the

decision should be based on the strength of the key and the status of computer

technology ...
... and praticing in free certification （free certification exam questions）. A large key size is typically harder to crack and therefore more desirable. Larger keys, however, take a longer time to generate and encrypt information. The root CA certification, however, will be used only to sign new subordinate

CA certificates, so this point is moot.

Off the Record How large should the key for the root CA be? Should it always be regenerated when the certificate is renewed? One estimate concludes that a 4096-bit key might take about 15 years to crack with today's computing equipment. If the root CA is given a 4096-bit key and a five-year validity period, when the administrator renews the certificate after four years, she can reassess the key based on thoughts of cryptography experts at that time. She can then make a decision about whether to renew by using the current key pair or by generating a new key pair.

? Intermediate CAs, those CAs that do not issue end-use certificates, must also renew

their certificates, and you can choose whether or not to renew their keys. On one

hand, they are not the root and have no power to issue end-use certificates. How-

ever, if they are compromised, every issuing CA they have issued a CA certificate for

must be replaced. They are also more exposed than the stand-alone root CA. In

addition, if cross-certification with another CA hierarchy is performed at the intermediary CA level, their being compromised might result in more risk and greater negative implications than with a CA that has not issued a cross-site certificate.

? When a new key pair is generated for a CA, a new CRL distribution point is created. This is done to ensure the CRL is signed by the current CA private key. This

can also be used to advantage in environments -where many certificates are issued

and revoked. CRLs can become large in these cases, and although the old CRL will

continue to be issued until every certificate that -was issued using the old keys has

expired, it will eventually be of no use.

? Certificate renewal is necessary to implement policy change:

Q If, for example, you -want a cross-certificate, a new policy file can be created only for an existing CA when the certificate is renewed.

Q Other changes, such as adding the ability to archive private keys, will result in the certificates previously issued being supercedecl and new certificates being issued.

Q When a policy changes, and thus CA renewal is necessaiy, plan the renewal for off-peak hours when the request for （free practice exam questions） will likely not be as high.

Q Policy changes cannot always be anticipated, but the process required to handle them can be a part of the design of the renewal process. Consider how the change will affect certificate requests and whether current certificates should be used until they expire or whether the new （MCSA Certification） should supercede them.