RADIUS Authentication with Certificates - What happens if CA is unavailable temporarily?

---

Hell ITPro's!
With all the help I received regarding PKI and CAs, I now more confident in using them, after testing it some times on a home Lab. Now I have a question, and after looking for it on the Internet didn't found an answer.

I thinking of using a RADIUS server to use authentication through certificates (computer certificates) from my Enterprise CA (domain joined). With that I want to verify the certificate issuer so I can validate the authenticity. When this is done is there a connection to the CA server or the Trusted Authority on the RADIUS server contain the certificates (that I distributed through GPO - for the offline CA)? Just in case if the CA is down temporarily or went bad and I need to add a new one.

Thank you in advance for the help! Keep the great work!
Regards,
Fábio

Hey @fabio-teles,

Glad you are having success implementing PKI!!

When a certificate is validated, a connection will be established with the Certificate Revocation List Distribution Point (CDP). The location of the CDP is included in the issued certificate. This location will need to be accessible to verify the certificate being presented is valid and not revoked.

Usually the CDP location is separate from the CA. The CDP needs to be highly available, as authentication will fail if the certificate cannot be validated. Even if the certificate is issued by a trusted CA, a revocation check will still be performed.

Is the offline CA your only CA? Did you add the CDP location to the extensions of the issue certificates?

Hello @Mike-Rodrick,
Thank you for your answer. It clarified the idea, I was missing the CRL in the process. Well in my LAB I have the RootCA and then a Subordinate, Enterprise CA, domain joined. Also in the LAB I have the CRL over HTTP connection, for the CRL I got from the RootCA, and for sake of resources on my test LAB the WEB address is an IIS on the Subordinate CA, that is domain joined.

As for the Enterprise CA, the subordinate one, I didn't configure anything related to the CRL. In the end, in the LAB, I didn't have erros but need to check where the CRL is available. I think on the domain joined CA is over LDAP but tomorrow, at work, I'll check on my test machines and also, if needed, spin up the VMs again from scratch and review this.

I made a step by step guide with some old videos from Microsoft I found, but the CRL is a great question. I'll post the configuration I have so it can help others ad also help me explain how I made it and with your help I'll learn a lot more!

Thank you Mike, again, for all the help! A very big thank you from Portugal

Hello @Mike-Rodrick,
So I checked the configuration for revocation lists and this is the result:

• The RootCA I deleted all locations except the local C:\ path and added a http one, http://pki...../cerdata/... and then I create a DNS CNAME for the web servers that will hold that (for LAB I only have one, but in real life I would have at least 2 with round robin DNS.

• The Enterprise CA, connected to AD, has the default option, published on AD. In production I have 3 domain controllers so there I'll have the redundancy I need

So I think for CRL locations we are good to go, and I know understand a little more about the PKI.
Thank you again!

Olá @fabio-teles ,

Adjusting the CDP for the offline CA is the step I always forget, that's why I mention it first

Looking forward to seeing your configuration, and it will definitely help others, I'm sure!

Ainda bem que pude ajudar. Boa sorte e continue fazendo ótimas perguntas!