The certificate revocation considerations are:
? Certificates can be revoked, but not all applications check revocation lists. In addition, many things can delay the distribution and downloading of new CRLs.
? Remember to design validity periods based on finding the sweet spot between minimizing exposure and opportunities for compromise and allowing for the administrative tasks that might be necessary during renewal. Where auto-enrollment reduces the administrative task of renewal, time frames can be shorter, but keep in mind that auto-enrollment means fewer certificates will expire on their own if the issuing CA is still available on the network.
? An additional decision must be made at CA renewal time. When a CA is renewed, a new key pair can be generated or the old pair can be reused. Remember the reason for CA certificate renewal: the minimizing of opportunity for key compromise.
Creating a new key pair is a good way to continue limiting opportunities, but the decision should be based on the strength of the key and the status of computer technology and praticing in free certification questions. A large key size is typically harder to crack and therefore more desirable. Larger keys, however, take a longer time to generate and encrypt information. The root CA certification, however, will be used only to sign new subordinate CA certificates, so this point is moot.
Off the Record How large should the key for the root CA be? Should it always be regenerated when the certificate is renewed? One estimate concludes that a 4096-bit key might take about 15 years to crack with today's computing equipment. If the root CA is given a 4096-bit key and a five-year validity period, when the administrator renews the certificate after four years, she can reassess the key based on thoughts of cryptography experts at that time. She can then make a decision about whether to renew by using the current key pair or by generating a new key pair.
? Intermediate CAs, those CAs that do not issue end-use certificates, must also renew their certificates, and you can choose whether or not to renew their keys. On one hand, they are not the root and have no power to issue end-use certificates. However, if they are compromised, every issuing CA they have issued a CA certificate for must be replaced. They are also more exposed than the stand-alone root CA. In addition, if cross-certification with another CA hierarchy is performed at the intermediary CA level, their being compromised might result in more risk and greater negative implications than with a CA that has not issued a cross-site certificate.
? When a new key pair is generated for a CA, a new CRL distribution point is created. This is done to ensure the CRL is signed by the current CA private key. This can also be used to advantage in environments -where many certificates are issued and revoked. CRLs can become large in these cases, and although the old CRL will continue to be issued until every certificate that -was issued using the old keys has expired, it will eventually be of no use.
? Certificate renewal is necessary to implement policy change:
Q If, for example, you -want a cross-certificate, a new policy file can be created only for an existing CA when the certificate is renewed.
Q Other changes, such as adding the ability to archive private keys, will result in the certificates previously issued being supercedecl and new certificates being issued.
Q When a policy changes, and thus CA renewal is necessaiy, plan the renewal for off-peak hours when the request for will likely not be as high.
Q Policy changes cannot always be anticipated, but the process required to handle them can be a part of the design of the renewal process. Consider how the change will affect certificate requests and whether current certificates should be used until they expire or whether the new should supercede them.
Even all the people who want to pass the (MCSA Certification) had the hardest time on practicing (free certification exam questions),they still felt that this exam so much harder than the other MCSA Certification. Actually, it's important to choose by the amount you can afford to spend, how much free time you have to do it, and which method you generally prefer and so on. The following research may bring you little inspiration.
Read More From Alyssa
|
