Creating a HTTP Certificate Revocation List Distribution Point for Your Internal Certification Authority – Part 2

Previous part:

Creating a HTTP Certificate Revocation List Distribution Point for Your Internal Certification Authority – Part 1

 

Now we need to create DNS record for our new HTTP CDP Point.

Log in to your Domain Controller, go to Server Manager, Tools and DNS Management:

Right click on your Forward Lookup Zones and choose New Host (A or AAAA).

Use crl as name and Certificate Authority IP address, so all request to http://crl.yourdomain.com will go to your CA.

Now you can close DNS management and go back to your CA server.

Log in to your CA, go to Server Manager, Tools and Internet Information Services (IIS) Manager

Rigt click on Default Web Site, pick Add Virtual Directory

type CRLD as Alias and then click on … go to C:\ drive and create folder CRLDist. Confirm Add Virtual Directory with hitting on OK.

Click on newly create Virtual Directory CRLD and choose Directory Browsing

Enable feature on right side via Actions

Go back and open Configuration Editor (at the bottom)

 

 

go to system.webServer/security/requestFiltering and change allowDoubleEscaping from False to True and hit Apply.

You can now close IIS manager.

Go to This PC, C:\ drive and open properties of CRLDist folder. Click on Advanced Sharing, check Share this folder, as Share name use CRLDist$ and click on Permissions.

In Permissions tab, click Add. (In Object types, check Computers) and add your CA computer account, grant Full control

 

Go back to Security tab and grant CA server computer account full control. Confirm with OK.

Now go back to Certificate Authority console, right click on Revoked Certificates, All Tasks, Publish

 

 

Choose New CRL and hit ok

Now go to your CRLDist folder and you should see following:

 

To test HTTP CDP point, open Internet Explorer and type following url:

http://crl.<youdomainname>.com/crld/<filename>.crl

and you should be able to download your crl, if all is configured properly:

Creating a HTTP Certificate Revocation List Distribution Point for Your Internal Certification Authority – Part 1

In this article I will walk you through a process to set up a certification authority (CA) to publish a certificate revocation list (CRL) distribution point via HTTP.

Prerequisites:

Installed & Configured Windows Server with Active Directory Certificate Services.

Configure the CDP settings on the CA

  • In Server Manager, go to Tools and open Certificate Authorities, click on Properties. On the Extensions tab, click Add.
  • In Location, type http://crl.<the domainname>/crld/ For example, http://crl.yourdomainname.com/crld/
  • In Variable name, click <CaName>, click Insert; click <CRLNameSuffix>, click Insert; click <DeltaCRLAllowed>, click Insert.
  • In Location, type .crl at the end of the Location string and then click OK.
  • Select Include in CRLs. Clients use this to find Delta CRL locations. And Include in the CDP extension of issued certificates, then click Apply.
  • Click No in the dialog box asking you to restart the ADCS.

Configure the file share:

Click Add.

In Location, define the file server and share name.I am using share folder on local server so: C:\crldist .

 

In Variable, click <CAName>, click Insert; In Variable, click <CRLNameSuffix>, click Insert; In Variable, click <DeltaCRLAllowed>, click Insert.

In Location, type .crl at the end of the Location string and then click OK.

Select Publish CRLs to this location and Publish Delta CRLs to this Location, then click Apply. Click Yes in the dialog box asking you to restart the CA.

 

I have also deleted all other CDP points as my infrastructure will use  HTTP access as my only CDP point

.

Now you can close the CA console.

Next part:

Creating a HTTP Certificate Revocation List Distribution Point for Your Internal Certification Authority – Part 2