Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, January 4, 2018 4:50 PM
So I set up a 2 tier PKI using an HTTP URL for CRL and AIA. The CRL appears to auto-publish just fine in the windows cert location, but I had assumed by supplying the HTTP address in the extensions it would also auto publish to the HTTP location. It seems counterproductive that you have to make a script or manually move the files when they are published am I missing something? If so what? I set up a separate folder for the HTTP setup and it works fine, my only issue is what is the best way to sync the HTTP CRL location with the publish location.
All replies (11)
Thursday, January 4, 2018 5:22 PM ✅Answered
You cannot automatically publish a CRL to an HTTP location.
You can specify that HTTP location as a CDP, but getting new CRLs to the appropriate web locations requires a separate effort.
You might look at this:
Some folks use this script to coordinate the sync of a CA's CRL to web sites.
https://gallery.technet.microsoft.com/scriptcenter/Powershell-CRL-Copy-v4-11554ea5
There are other ways to do this, but I would start with these.
Good Luck.
-Wayne
Thursday, January 4, 2018 9:28 PM
OK, so I was looking at the first link and the file:// option I thought was now obsolete.
Using your first link:
To automatically publish the CRL on a separate server
- On the CA server, load Certification Authority, right-click your CA, select Properties, and then click the Extensions tab.
- Ensure that CRL Distribution Point (CDP) is selected, and then click Add.
- In the Add Location dialog box, type the following and then click OK: file://\<servername>\share>\CaName><CRLNameSuffix><DeltaCRLAllowed>.crl For example, if your Web server was called server2 and the folder share name you created for the CRL was called CRL, you would type file://\server2\CRL\CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
Vadims blog says that the file:// is no longer valid:
file:// protocol is no longer supported for file retrieval (when published in the extension).
So my question is how true is this?
The PowerShell script might be doable. I need to look it over in detail. It seems a bit excessive at first glance.
This post here describes some of my set up when I was seeking information on my setup issues.
Friday, January 5, 2018 12:46 PM
As I mentioned in my initial reply, there are other ways.
Some folks choose to split up the job into two entries in your CA’s CDP Extensions.
1> The first entry would be the one that simply defines the web based CDP and puts that entry into the published certificates.
2> The second CDP entry would an an entry whose job it will be to get the CRL to the web server.
Here is my approach:
Make a file share on the server that you used for the web based CDP.
Make the IIS web virtual directory location, and the above file share the same location.
Example: net share CDP=C:\inetpub\wwwroot
(Make sure that your CA Server has rights to that share, and the files system.)
I would then configure your CA to simply publish the web CDP in the published certificates.
Here is the command line that will set up both of those two entries in your CA:
certutil -setreg CA\CRLPublicationURLS "1:%WINDIR%\system32\certsrv\CertEnroll\%3%%8.crl\n1:\WEBSERVER\cdp\%3%%8.crl\n10:http://crl.mywebsite.com/%%3%%8.crl"
This solution depends on the share on the web server being configured correctly, and the CA server having the rights to copy a file (the CRL) to that location.
This solution does work, but as others have correctly pointed out, it will not retry to publish, should the copy to \webserver\cdp fail. Instead, it will simply throw an error.
Hope this helps.
Friday, January 5, 2018 3:22 PM
Were would it throw the error at event log or in CA MMC? I am wondering now if my issue s a permissions issue.
This is the info I used in the extension:
http://pki.XX-ad.xxx.com/pki/crl/\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
I will have to review all my logs and see if there is an error when I try to publish a CRL update.
Friday, January 5, 2018 3:28 PM
Are you still trying to publish to that location?
Friday, January 5, 2018 3:38 PM
My intent is to publish to that location and the c:\windows\system32...
But your CLI recommendation is the same as doing the file:// or is that the file:// method was replaced with the \servename\folder\properties.crl method?
If I try the \servername method you recommend do I need redo my sub ca cert using my root ca or just make the SubCA CDP change and re-publish the SubCA?
Friday, January 5, 2018 4:34 PM
Your root CA should include this:
"1:%WINDIR%\system32\certsrv\CertEnroll\%3%%8.crl\n10:http://crl.mywebsite.com/%%3%%8.crl"
Hopefully your root CA is offline, so trying to publish to \webserver\cdp should fail. The above line only configures your CA to add the http://crl.mywebsite.com CDP to issued certs.
Your Sub CA should be online. There I would use
certutil -setreg CA\CRLPublicationURLS "1:%WINDIR%\system32\certsrv\CertEnroll\%3%%8.crl\n1:\WEBSERVER\cdp\%3%%8.crl\n10:http://crl.mywebsite.com/%%3%%8.crl"
In addition to doing the above, it will also try and push the actual CRL to the \webserver\cdp location.
But again, this method, while simple, does not check to make sure that the CDP is actually updates. The script method is much smarter.
Friday, January 5, 2018 4:38 PM
OK, thanks for the info.
Monday, January 8, 2018 6:19 AM
Hi,
I am checking how the issue is going, if you still have any questions, please feel free to contact us.
And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.
Appreciate for your feedback.
Best regards,
Wendy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, January 11, 2018 3:48 PM
I have decided to explore the script aspect of keeping the https location correct with the CRL files.
Thursday, January 18, 2018 9:54 PM
So the script from the gallery does not copy the delta crl, and appears to fail the delta crl check it performs, as it consitantly states there is no delta crl, when in fact I setup a delta crl extension and cersvc appears to publish a delta crl, as pki view shows one. So I may have to try and modify the script to force a delta crl copy.