AD CS - Publishing a new CDP
Hi, I have a single Enterprise CA (2K8 R2) used in my organisation. I am now securing servers in my DMZ with certificates issued from this CA. I am getting errors on these DMZ servers because they can not access the CRL. Checking the CA's configuration, only the default CDPs are set (publish to LDAP and the local computer C:\Windows\system32\Certsrv\CertEnroll) . What is the best way to publish the CRL so servers in my DMZ can access it?Thanks Christoph
October 9th, 2011 2:25am

You can publish the CRL to a web URL making it available to your DMZ. The new web URL needs to be reachable from DMZ and the CRL file needs to be published/copied to that location with some automation. To add a new web URL to the CDP extension on your current enterprise CA: certutil -setreg CA\CRLPublicationURLs +"6:http://some.url/%3%8%9.crl" The above command will add the new URL and configure it to be included in all new certs as well as including it in the CRL for Delta CRL referencing. If you are not using Delta CRLs on your enterprise CA use the following version of the same command: certutil -setreg CA\CRLPublicationURLs +"2:http://some.url/%3%8%9.crl" If you can publish the CRL to the web server using a UNC path, you can then configure your enterprise CA to do that as well using the following command: certutil -setreg CA\CRLPublicationURLs +"65:\\servername.domain\%3%8%9.crl" /Hasain
Free Windows Admin Tool Kit Click here and download it now
October 9th, 2011 3:07am

You can publish the CRL to a web URL making it available to your DMZ. The new web URL needs to be reachable from DMZ and the CRL file needs to be published/copied to that location with some automation. To add a new web URL to the CDP extension on your current enterprise CA: certutil -setreg CA\CRLPublicationURLs +"6:http://some.url/%3%8%9.crl" The above command will add the new URL and configure it to be included in all new certs as well as including it in the CRL for Delta CRL referencing. If you are not using Delta CRLs on your enterprise CA use the following version of the same command: certutil -setreg CA\CRLPublicationURLs +"2:http://some.url/%3%8%9.crl" If you can publish the CRL to the web server using a UNC path, you can then configure your enterprise CA to do that as well using the following command: certutil -setreg CA\CRLPublicationURLs +"65:\\servername.domain\%3%8%9.crl" /Hasain
October 9th, 2011 10:00am

I followed your instructions and was successfully able to publish the CRL to a network folder that is also published with IIS and is reachable from the DMZ. I have verified this by broswing the URL from a server in the DMZ and successfully opening the CRL. But I am still getting errors that the CRL could not be found by Lync server which is using one of these certificates. Could it be that I still have the LDAP CRL publishing location enabled for my LAN clients and this shows up before the HTTP URL?Thanks Christoph
Free Windows Admin Tool Kit Click here and download it now
October 12th, 2011 10:21pm

You need to reissue the certificates to include the new CRL location! /Hasain
October 12th, 2011 11:43pm

I've reissued the certificates and I can see the CRL location in the certificate properties but it still errors.Thanks Christoph
Free Windows Admin Tool Kit Click here and download it now
October 12th, 2011 11:47pm

Try to clear the CRL cache on the server using the command below and restart the service certutil -urlcache * delete /Hasain
October 13th, 2011 12:03am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics