IT Consultant Everyday Notes

Just some problems/solutions storage

How to publish Certificate Revocation List (CRL)

If you are sing your own PKI infrastructure it is important to have your CRLs available for your certificates users, so they can check Certificate Revocation List published by your CA.

Environment (assuming is both internal and External FQDNs for the domain. If you use different names you need to add additional records for CRL location):

1. Certificate Authority (let use one level for simplicity):

2. WEB server WEBSERV  (IIS hosts a web server published on reverse proxy as CRL.MYDOMAIN.COM):

3. Windows Firewall on webserv allows File&Printer sharing


1. Configure CA installed on CASERV with the following extension settings (right-click CA):
– Add Location:
– Add Variables (in order): CAName, CRLNameSuffix, DeltaCRLAllowed
– Location: .crl  (so you have <CAName><CRLNameSuffix><DeltaCRLAllowed>.crl in CRL Location line)

– Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates
– Do not restart Certificate Services.

Note: if your internal domain and external domain names are different use your external web server name.

– Add Location: \\WEBSERV\crldist$\.
– Variable: CAName, CRLNameSuffix, DeltaCRLAllowed
– Location: .crl
– Select Publish CRL to this location and Publish Delta CRL to this location

– Restart Certificate Services.
– Close the Certificate Authority console.

2. Create CRL distribution point on WEBSERV by performing the following steps:
– Start Internet Information Services (IIS) Manager.
– In the console tree, browse to WEBSERV\Sites\Default Web Site, right-click Default Web Site, and then click Add Virtual Directory.
Alias:  CRLD;
Path:  C:\CRLDist
– In the middle pane of the console, double-click Directory Browsing, and in the Actions pane,click Enable.
–  In the console tree, click the CRLD folder.
–  In the middle pane of the console, double-click the Configuration Editor icon.
–  Click the down-arrow of the Section drop-down list, and navigate to system.webServer\security\requestFiltering.
–  In the middle pane of the console, double-click the allowDoubleEscaping entry to change the value from False to True.
–  In the details pane, click Apply.

3. Share and secure the CRL distribution point by performing the following steps:

– Share c:\crldist as \\WEBSERV\CRLDIST$
– Set Full Control for the Share and NTFS permissions for CACERV$ machine account

4. Publish the CRL to WEBSERV by performing the following steps:

– Go to CA mmc on CASERV
– navigate to Rvoked CErtificate folder. right-click the folder, select All Tasks-Publish
– check if CRL files were created in the \\WEBSERV\CRLDis$ share
– from external computer try to get CRL using<CRL_file_name>.crl URL

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: