Question(s) while reading Komar's 2008 PKI book
I am trying very hard to understand CRL Publication points. These questions are from the part of the "Windows Server 2008 PKI and Certificate Security" book starting on page 114 under the topic "Defining Publication Points". What I think has confused me is that you are not just defining "Publication" points on the EXTENSIONS tab, you are also defining "Distribution" points. So this seems to indicate that I should be defining "pairs" of entries. One which defines the publication point, and another entry defining the distribution point. Is this assumption correct? From the example certutil command on page 116: certutil -setreg CA\CRLPublicationURLs "1:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n2:http://www.fabrikam.com/CertData/%%3%%8%%9.crl\n10:ldap:///cn=%%7%%8,cn=%%2,cn=CDP,cn=Public Key Services,cn=Services,%%6%%10" The first part referncing the path is where the file will be put when I publish the crl. The second part (the http URL) is included in the certificates issued and is where somebody goes to lookup the validity of the cert. The 3rd part is what's throwing me. First the explanation on page 117 state that "The value 2 disgnates the CRL's publication point in AD DS". But in the table on page 115, a value of 2 indicates to include the url in all issued certificates. Shouldn't this be a 1, the value which indicates the location where the CRL should be published? The example further states "the value 8 is to include the CDP URL in all CA-issued certificates". Shouldn't this be a 2? Can you confirm that this is an example where a SINGLE entry is doing BOTH defining the publishing point AND the distribution point? How does the CRL get from where you published it, to where you distribute it? I understand in the case of an offline rootca, you must manually transfer it, however if my rootCA is joined to AD, will publishing it to AD automatically make it available on the OCSP? When I publish my CRL from my issuing CA, is it automatically available on the OCSP? When I set up the OCSP role, does that also make my CRL's available? Thanks for any help with this.
March 31st, 2012 7:14pm

In extentions tab, all you need to define is CDP and AIA, what do you mean by Publication points?
Free Windows Admin Tool Kit Click here and download it now
April 2nd, 2012 2:19pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics