Creating a HTTP Certificate Revocation List Distribution Point for Your Internal Certification Authority – Part 2

Previous part:

Creating a HTTP Certificate Revocation List Distribution Point for Your Internal Certification Authority – Part 1

 

Now we need to create DNS record for our new HTTP CDP Point.

Log in to your Domain Controller, go to Server Manager, Tools and DNS Management:

Right click on your Forward Lookup Zones and choose New Host (A or AAAA).

Use crl as name and Certificate Authority IP address, so all request to http://crl.yourdomain.com will go to your CA.

Now you can close DNS management and go back to your CA server.

Log in to your CA, go to Server Manager, Tools and Internet Information Services (IIS) Manager

Rigt click on Default Web Site, pick Add Virtual Directory

type CRLD as Alias and then click on … go to C:\ drive and create folder CRLDist. Confirm Add Virtual Directory with hitting on OK.

Click on newly create Virtual Directory CRLD and choose Directory Browsing

Enable feature on right side via Actions

Go back and open Configuration Editor (at the bottom)

 

 

go to system.webServer/security/requestFiltering and change allowDoubleEscaping from False to True and hit Apply.

You can now close IIS manager.

Go to This PC, C:\ drive and open properties of CRLDist folder. Click on Advanced Sharing, check Share this folder, as Share name use CRLDist$ and click on Permissions.

In Permissions tab, click Add. (In Object types, check Computers) and add your CA computer account, grant Full control

 

Go back to Security tab and grant CA server computer account full control. Confirm with OK.

Now go back to Certificate Authority console, right click on Revoked Certificates, All Tasks, Publish

 

 

Choose New CRL and hit ok

Now go to your CRLDist folder and you should see following:

 

To test HTTP CDP point, open Internet Explorer and type following url:

http://crl.<youdomainname>.com/crld/<filename>.crl

and you should be able to download your crl, if all is configured properly:

Pridaj komentár

Vaša e-mailová adresa nebude zverejnená. Vyžadované polia sú označené *