Certificate Revocation with intermediate CAs – combine CRLs?

I use Nginx for client-side-authentification. Only the SSL-certificates from the User CA should have access to the application. The CA hierachy:

Root CA     | Intermediate CA     | User CA 

So ssl_verify_depth (maximum verification depth) =3

Each CA has a crl.

For Nginx I need one crl-document.

Do I need to combine the CRLs of Root CA, Intermediate CA and User CA?

Thank you very much. Unfortunately I couldn’t find any related questions, (and I apologize if this is a stupid beginner’s question.)

Should CRLs be published for Standalone Offline Root CA?

I’m setting up a two tier PKI Hierarchy in our Windows Server 2012 R2 domain.

A number of tutorials suggest that the root CA should publish its CA certificate and CRL in Active Directory and via HTTP, but I’ve also seen a suggestion that neither should be published and the CRL should not be updated.

Which is right / best practice?

The commands I was going to use on the Standalone Offline Root CA were:

certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl \n10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n2:http://pki.matty.local/CertEnroll/%3%8%9.crl" certutil -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://pki.matty.local/CertEnroll/%1_%3%4.crt" Certutil –setreg CA\ValidityPeriodUnits 10 Certutil –setreg CA\ValidityPeriod “Years”  Certutil –setreg CA\CRLPeriodUnits 52 Certutil –setreg CA\CRLPeriod “Weeks” Certutil –setreg CA\CRLOverlapPeriodUnits 12 Certutil –setreg CA\CRLOverlapPeriod “Hours” Certutil –setreg CA\CRLDeltaPeriodUnits 0 Certutil –setreg CA\CRLDeltaPeriod “Days” Certutil –setreg CA\AuditFilter 127 

But now I’m wondering if I should omit the CRL bits so that I don’t have to manually publish and copy the CA certificate and CRL into LDAP and the HTTP location.

The commands I’d run would therefor be simply:

certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl \n10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n2:http://pki.matty.local/CertEnroll/%3%8%9.crl" certutil -setreg CA\CACertPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://pki.matty.local/CertEnroll/%1_%3%4.crt" Certutil –setreg CA\ValidityPeriodUnits 10 Certutil –setreg CA\ValidityPeriod “Years”  Certutil –setreg CA\CRLDeltaPeriodUnits 0 Certutil –setreg CA\CRLDeltaPeriod “Days” Certutil –setreg CA\AuditFilter 127 

Or maybe (if it’s possible/recommended to disable the CRL):

Certutil –setreg CA\ValidityPeriodUnits 10 Certutil –setreg CA\ValidityPeriod “Years”  Certutil –setreg CA\CRLDeltaPeriodUnits 0 Certutil –setreg CA\CRLDeltaPeriod “Days” Certutil –setreg CA\AuditFilter 127 

Which would mean I’d literally just be starting the Root CA up to authorise a new Issuing CA and nothing else.

How have you done yours and what would you do if you were setting it up from scratch again now?