How to Publish New Certificate Revocation List (CRL) from Offline Root CA to Active Directory and Inetpub
It is highly recommended when building your Microsoft PKI (Public Key Infrastructure) to have your Root CA offline after issuing the Enterprise Sub CA certificates. It is recommended to minimize the access to the Offline Root CA as possible. The Root CA is not a domain joined machine and can beturned off without any problem. One of the Key issues is the CRL generated from the Root CA, you need to set the CRL interval for a large value so that we don’t need to copy the CRL to an online location frequently and do not implement delta CRLs, because the publication of each delta CRL would require access to the offline root CA in order to copy the delta CRL to an online publication location. In order to change the CRL interval you need to: 1. Turn on the Offline Root CA machine and login with local Admin account 2. Open the Certification Authority Console 3. Right Click on the "Revoked Certificates" and click Properties. Set “CRL Publish interval” to a large value (Default is ...