CDPs define the location where the CRL can be retrieved from. This is a web-based location and should be accessible via HTTP. This list will be used by the certificate validator to verify the given certificate against the revocation list.
Before we do this, we need to prepare the web server. It should be a domain member, as the issuing CA is also in a domain.
In my demonstration, I am going to use the same issuing CA as the CDP location.
The web server can be installed using the following command:
Install-WindowsFeature Web-WebServer -IncludeManagementTools
Next, create a folder and create a share so that it can be used as the virtual directory:
mkdir C:\CertEnroll
New-smbshare -name CertEnroll C:\CertEnroll -FullAccess SYSTEM,"rebeladmin\Domain Admins" -ChangeAccess "rebeladmin\Cert Publishers"
As part of the exercise, it will set the share permissions to rebeladmin\Domain Admins (full access) and rebeladmin\Cert Publishers (change access).
After that, load the Internet Information Services (IIS) manager and add a virtual directory, CertEnroll, with the aforementioned path:
Last but not least, we need to create a DNS record for the service URL. In this demonstration, I am using crt.rebeladmin.com. This will allow us to access the new distribution point using http://crt.rebeladmin.com/CertEnroll.
Now everything is ready, and we can publish the CDP settings using the following command:
certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl \n10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n2:http://crt.rebeladmin.com/CertEnroll/%3%8%9.crl"
The single numbers in the command refer to the options, and numbers with % refer to the variables:
|
Option |
Details |
|
0 |
No changes. |
|
1 |
Publish the CRL to the given location. |
|
2 |
Attach the CDP extensions of issued certificates. |
|
4 |
Include in the CRL to find the delta CRL locations. |
|
8 |
Specify whether there is a need to publish all CRL information to AD when publishing manually. |
|
64 |
Delta CRL location. |
|
128 |
Include the Issuing Distribution Point (IDP) extension of the issued CRL. |
All these settings can be specified using the GUI. In order to access it, go to Server Manager | Tools | Certification Authority, right-click and select Properties of the server, and go to the Extension tab.
There, you can add all the following variables using the GUI:
|
Variable |
GUI reference |
Details |
|
%1 |
<ServerDNSName> |
The DNS name of the CA server |
|
%2 |
<ServerShortName> |
The NetBIOS name of the CA server |
|
%3 |
<CAName> |
The given name for the CA |
|
%4 |
<CertificateName> |
Renewal extension of the CA |
|
%6 |
<ConfigurationContainer> |
DN of the configuration container in AD |
|
%7 |
<CATruncatedName> |
Truncated name of the CA (32 characters) |
|
%8 |
<CRLNameSuffix> |
Inserts a name suffix at the end of the filename before publishing a CRL |
|
%9 |
<DeltaCRLAllowed> |
Replaces CRLNameSuffix with a separate suffix to use the delta CRL |
|
%10 |
<CDPObjectClass> |
The object class identifier for the CDP |
|
%11 |
<CAObjectClass> |
The object class identifier for a CA |