Is the Offline Root CA Obsolete?

I think we need to consider here definitions of the word "offline".

As you suggest, the following are conflicting requirements:

  • Have the Root CA be powered off except when issuing / revoking a Subordinate CA cert.
  • Have the Root CA issue frequent CRLs.

The solution I see deployed most often is to do "soft air-gapping" or "soft offline" through firewalls so that the Root CA can still push new CRLs daily or hourly to be picked up and re-published by the CDP or OSCP responders. Block all other traffic to / from the Root CA machine.

I have even heard of one clever solution where the Root CA pushes CRL data over its audio line-out jack, which is a one-way port at the hardware level.


One other thing, there is no reason an offline root CA can't publish it's certificate revocation list (CRL) to another location that is online. The lifetime of a CRL can be extended to a very large time period using this command:

certutil -setreg CA\CRLPeriodUnits 6
certutil -setreg CA\CRLPeriod "Years"

You can also publish Delta CRL's that contain only revocations that have changed since the last full CRL was published.

Now since the only time you are going to revoke certificates from the offline root CA is if something major happens what is the risk of having a huge CRL lifetime, chances are you will never revoke any certificates from your offline host anyway but if you do and you want CRL checks to pick this up you can still have that part in place so if you need it it will work.

Offline CA's is often a debated subject, but if you have one an suffer a major compromise you will be glad you have it, if you don't have it but need it you'll regret it. It's a matter of risk vs reward.