I'm looking into designing a WS08 R2 HTTP CDP for external and internal users. Anyone have any good references on doing so. Some items I'm looking for:- Can/should this role be on Server Core?- Can/should it be a clustered web server or have load balancing in front of it (we are a large company)Any other good tips, please let me know.

Hi,I see no reason why CDP could not be on server core, so go ahead :). Availability is important when designing CDP. If CDP is not reachable users cannot verify certificates and you'll have a bunch of problems. Co to use a load balanced web server farm is a good idea. Also consider several other important things:1) Plan carefully CDP name, after you issue certificates, the only way to change the CDP name is to resissue certificate again.2) consider using a alias like cdp.company.com, when you move your CDP you won't have any troubles with existing certificates,3) CDP must be reachable from inside the company as well as from outside, if you use URL like cdp.company.com make sure you can access it from inside and outside4) if you have multiple CDPs, remebmer that clients will check them in order you have specified. If first CDP is not reachable, clients will experience timeouts during verification of certificates.5) if you cannot use a clustered web server for a CDP, then consider adding alternate CDP for availability purposes. If the PKI is mostly for internal use I would suggest LDAP CDP, but this really depends on what kind of users / devices are accessing the CDP and whether they can handle LDAP CDP.Best regardsMartin Rublik

Hi, Thanks for your post. Please check the answer below: 1) From a security point of view, it is ideal that you install the role on Server Core. 2) Considering the redundancy, it is suggested to provide fault tolerance by having either a virtual server name that points to several physical Web servers (round-robin DNS) or a clustered Web server. For more tips, you can refer to the “CRL Best Practices” section of the following article: Creating Certificate Policies and Certificate Practice Statements http://technet.microsoft.com/en-us/library/cc780454(WS.10).aspx Hope it helps. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb @ microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.

Thanks to both of you, Martin and Joson. This is great feedback I was looking for.If you don't mind, a couple of followup questions...- The majority of users will be internal (80-90%, in company AD), however, external does need to be present and even internal users will be using external capabiities of the HTTP CDP (use of cloud computing services, home users, VPN-less connectivity, etc). So, if I use an LDAP CDP as my first in the list and the HTTP CDP as my second in the list, is this problematic? I see Martin noted "timeouts". Is it best practice to really only have one CDP in the list to avoid "timeouts". If so, then recommending an HTTP CDP only for both internal and external usage is the way to go?- We plan on using HSM's. Does a HTTP CDP (no other PKI roles installed) need to communicate directly with the HSM or does it only interact with the CA's, which in turn communicate with the HSM's?- I've seen some information that notes that because your HTTP CDP will be in a DMZ, the server should be in a workgroup and not in the internal domain. However, the downside of this is having to manually copy CRL information. Is this the case? If so, any considerations on how to best approach it or gotchas in the "design" approach?- I've seen the using LDAP CRL's can have a size impact on AD, but no examples. What would be the typical size and how much would that add to AD? 5MB or 500MB. We are a large company, so we'll be handling 100's of thousands of certs. I assume the size only grows over time as more CRLs are revoked.- I see that using an LDAP CDP also notes to not use the actual internal names as a best practice, but not exactly sure what is recommended on how to accomplish this???- Can/should WS08 R2 Enterprise Web Edition, Server Core be used for an HTTP CDP? It doesn't look like Web Edition supports an PKI "roles" per se, but isn't the HTTP CDP just a simple web site and not really a "role"?The end goal is to make good "design" decisions BEFORE we implement it.Thanks again for your valuable feedback!

I'd like to now the answer of most of your q's too.Never figured out if HTTP or LDAP should be first in a 80%int/20%ext or similar scenario.There is a timeout but dunno how that effects anything.Answer to your HSM question. The HSM is for storing your CA's private signing keys and will only communicate with these CA's through the installed CSP (on the CA's).Regarding CRL-size. Each added revoced cert adds some bytes to the weight. U gotta have a shitload of revoced cert to get a significant heavy crl.MS says: "The CRL increases by about 29 bytes for every certificate that is revoked, depending on the reasons that you specify for the revocation. You might want to use a new key to renew the CA every time it reaches 100-125 kilobytes (KB) in size, to minimize download times."Time for some math. You'll have to have apx. 3 500 revoced certs in your CRL to reach 100KB.Lets say your issuing CA has a lifetime of 10 years (half of the root CA's lifetime). Then it's good practice to renew the issuing's cert once every five year. If you revoce 2 cert per day for five years then you'll be fine as the CRL will be 106KB and the planned cert renew will partition the CRL.If u foresee a more frequent revocation then you should look at an alternative plan.As mentioned you can partition a CRL by renewing the issuing CA's cert (with new keys). Then u start with a fresh empty crl.The option is to skip revocing by crl and just deactivate AD-accounts instead. Much faster but doesn't alwasy fit.Or u can check out OCSP. Builtin in 2008/Vista/7. With OCSP u ask for status of one cert at a time and only get an answer on that specific cert. Lightweight. The HTTP CDP/AIA are just URLs to a regular website. No role. U might be thinking of webenrollment which is something different.GL.

Answers inline....- The majority of users will be internal (80-90%, in company AD), however, external does need to be present and even internal users will be using external capabiities of the HTTP CDP (use of cloud computing services, home users, VPN-less connectivity, etc). So, if I use an LDAP CDP as my first in the list and the HTTP CDP as my second in the list, is this problematic? I see Martin noted "timeouts". Is it best practice to really only have one CDP in the list to avoid "timeouts". If so, then recommending an HTTP CDP only for both internal and external usage is the way to go?The latest recommendation is to simplify the URLs and only have a single URL that points to a highly available location. So I would drop the LDAP URL entirely and only do an HTTP URL that is internally and externally available and highly available. The time outs that occur would be on the first URL 7.5 seconds (default values) for the first URL before the chaining engine moves to the second URL. If you implement delta CRLs, there would be a second 7.5 second delay on that one too.- We plan on using HSM's. Does a HTTP CDP (no other PKI roles installed) need to communicate directly with the HSM or does it only interact with the CA's, which in turn communicate with the HSM's?''No direct interaction is required on the HSMs. You would either have UNCs in the CDP extensions tab (pointing to a share for publication) or would have a scheduled task that would copy using another protocol to the HTTP host server. The signing of the CRL would still take place at the CA only requiring an HSM at the CA.- I've seen some information that notes that because your HTTP CDP will be in a DMZ, the server should be in a workgroup and not in the internal domain. However, the downside of this is having to manually copy CRL information. Is this the case? If so, any considerations on how to best approach it or gotchas in the "design" approach?There is no requirement to place the server in the DMZ. HTTP is easily published through firewalls to internal servers if desired.You do not have to do a manual CRL copy, a scheduled task can be used to first publish the CRL certutil -crl and then any transfer protocol can be used. We have published to Linux, SunOS, and other unix variant HTTP servers at customers.- I've seen the using LDAP CRL's can have a size impact on AD, but no examples. What would be the typical size and how much would that add to AD? 5MB or 500MB. We are a large company, so we'll be handling 100's of thousands of certs. I assume the size only grows over time as more CRLs are revoked.Not necessarily, the items on the CRL come off of the CRL one publication after their expiration (with the defafult settings). Again, I do not recommend using LDAP.- I see that using an LDAP CDP also notes to not use the actual internal names as a best practice, but not exactly sure what is recommended on how to accomplish this???This means, use the default paths, which includes the default names.certutil -setreg ca\DSConfigDN CN=Configuration,DC=ADROOT,DC=example,DC=comcertutil -setreg CA\CRLPublicationURLs "65:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n6:http://crl.example.com/PKI/%%3%%8%%9.crl\n79:LDAP:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10This publishes the CRL to the local file system, and places two URLs, HTTP and LDAP and includes both base and delta CRLs- Can/should WS08 R2 Enterprise Web Edition, Server Core be used for an HTTP CDP? It doesn't look like Web Edition supports an PKI "roles" per se, but isn't the HTTP CDP just a simple web site and not really a "role"?That would be fine. The Web server is just a Web server. You need to make sure that you allow for double-escaping if you implement delta CRLs, as the Web server role disables this by default.The end goal is to make good "design" decisions BEFORE we implement it.Brian

Thanks Brian (and all of you)!!! Excellent info.If I use Clustering for the HTTP CDP web server, it does not look like I can use "Web Edition" as it does not support it: http://www.microsoft.com/windowsserver2008/en/us/r2-compare-specs.aspx

Check into whether it supports Load Balancing Services. Clustering is not really recommended for Web services, LBS is the preferred methodBrian

Great info. Straighten out some questionmarks.I like it that expired revoked certs are dropped from the CRL.That means that I'd need to exceed 3448 revoked certs annually to get over 100KB (if certlifetime is max one year).Also interesting with only one HTTP CDP/AIA. I've always thought that the AD would have been the preferred repository in an all internal solution.

one note to the recommended SINGLE http url. Windows 7 check only the first entry of each type, so not just recommendation, it is necessary.o.