IT Consultant Everyday Notes

Just some problems/solutions storage

How to publish Certificate Revocation List (CRL)

If you are sing your own PKI infrastructure it is important to have your CRLs available for your certificates users, so they can check Certificate Revocation List published by your CA.

Environment (assuming mydomain.com is both internal and External FQDNs for the domain. If you use different names you need to add additional records for CRL location):

1. Certificate Authority (let use one level for simplicity):  caserv.mydomain.com

2. WEB server WEBSERV  (IIS hosts a web server http://crl.mydomain.com published on reverse proxy as CRL.MYDOMAIN.COM): webserv.mydomain.com

3. Windows Firewall on webserv allows File&Printer sharing

Configuration:

1. Configure CA installed on CASERV with the following extension settings (right-click CA):
– Add Location: http://crl.mydomain.com/crld/
– Add Variables (in order): CAName, CRLNameSuffix, DeltaCRLAllowed
– Location: .crl  (so you have <CAName><CRLNameSuffix><DeltaCRLAllowed>.crl in CRL Location line)

image
– Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates
– Do not restart Certificate Services.

Note: if your internal domain and external domain names are different use your external web server name.

– Add Location: \\WEBSERV\crldist$\.
– Variable: CAName, CRLNameSuffix, DeltaCRLAllowed
– Location: .crl
– Select Publish CRL to this location and Publish Delta CRL to this location

– Restart Certificate Services.
– Close the Certificate Authority console.

2. Create CRL distribution point on WEBSERV by performing the following steps:
– Start Internet Information Services (IIS) Manager.
– In the console tree, browse to WEBSERV\Sites\Default Web Site, right-click Default Web Site, and then click Add Virtual Directory.
Alias:  CRLD;
Path:  C:\CRLDist
– In the middle pane of the console, double-click Directory Browsing, and in the Actions pane,click Enable.
–  In the console tree, click the CRLD folder.
–  In the middle pane of the console, double-click the Configuration Editor icon.
–  Click the down-arrow of the Section drop-down list, and navigate to system.webServer\security\requestFiltering.
–  In the middle pane of the console, double-click the allowDoubleEscaping entry to change the value from False to True.
–  In the details pane, click Apply.

3. Share and secure the CRL distribution point by performing the following steps:

– Share c:\crldist as \\WEBSERV\CRLDIST$
– Set Full Control for the Share and NTFS permissions for CACERV$ machine account

4. Publish the CRL to WEBSERV by performing the following steps:

– Go to CA mmc on CASERV
– navigate to Rvoked CErtificate folder. right-click the folder, select All Tasks-Publish
– check if CRL files were created in the \\WEBSERV\CRLDis$ share
– from external computer try to get CRL using http://crl.mydomain.com/CRLD/<CRL_file_name>.crl URL

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: