One of the key tasks after installing Certificate Services is defining publication points for a CA's certificate and CRL. The publication points can be configured in the CA console in the CA's Properties dialog box. (See Figure 6-4.)

Certificate Managers Restrictions | Auditing | Recovery Agents | Security General | Policy Module | Exit Module Extensions j Storage

Select extension:

Certificate Managers Restrictions | Auditing | Recovery Agents | Security General | Policy Module | Exit Module Extensions j Storage

Select extension:

| CRL Distribution Point (CDP)

d

Specify locations Irom which users (CRL).

can obtain a certificate revocation list

h Hp: ,■'.'< S e r ver D N S N ame> .'L ertE nr oil.'< C aN ame> < CR LN ameS ulfix> < Delta file: /A\< S er verD N S N ame> VCertE nroll\< CaN ame> < CR LN ameS uftixxD elt i±J_I Jj h Hp: ,■'.'< S e r ver D N S N ame> .'L ertE nr oil.'< C aN ame> < CR LN ameS ulfix> < Delta file: /A\< S er verD N S N ame> VCertE nroll\< CaN ame> < CR LN ameS uftixxD elt i±J_I Jj

Publish CRLs to this location

Include in all CRLs. Specifies where to publish in the Active Directory when publishing manually.

Include in CRLs. Clients use this to (ind Delta CRL locations. Include in the CDP extension o( issued certificates W Publish Delta CRLs to this location

Figure 6-4 Defining CRL distribution points

This dialog box allows you to choose between CDP URLs and AIA URLs. In both cases, you must also choose the URL path where the CRL or AIA will be referenced.

Table 6-3 shows the options available for CRL publication locations. Table 6-3 CRL Publication Options

Display Name

Description

Label

Value

Publish CRLs to this location.

Include in all CRLs. Specifies where to publish in Active Directory when publishing manually.

Include in CRLs. Clients use this to find delta CRL locations.

Include in the CDP extension of issued certificates.

Publish delta CRLs to this location.

Identifies locations to which the CA should automatically or manually publish the physical CRL files.

Used for providing the LDAP URL where the CRL is stored in Active Directory. Commonly used to designate the LDAP URL for offline CA CRLs.

Places a URL for delta CRL retrieval in a base CRL. This publication point is stored in the freshest CRL extension of a CRL and is only retrieved during the CRL checking process.

Places a URL in the CDP extension of a certificate issued by the CA to allow the relying party certificate chaining engine to download the latest CRL version.

If the CA is configured to enable delta CRLs, the delta CRL files are published to this location.

ServerPublish

AddtoCertCDP

AddtoFreshestCRL 4

AddtoCRLCDP

ServerPublishDelta 64

For each location, you can choose to enable any combination of check boxes by adding the numbers in the Value column. For example, if you want to enable the publication of CRLs and delta CRLs, a value of 65 will accomplish this.

Likewise, there are specific entries for CA certificate publication locations. When you enable these options, the URLs are placed in the AIA extension of issued certificates. Table 6-4 shows the values that are available for AIA publication URLs.

Table 6-4 AIA Publication Options

Display Name

Description

Label

Value

Publish CRLs to this Identifies locations to which the CA should ServerPublish

location.

Include in the AIA extension of issued certificates.

Include in the online certificate status protocol (OCSP) extension.

automatically or manually publish the physical CRL files.

Includes the URLs for the CA certificate in all issued certificates.

Includes the HTTP URL for the designated OCSP server in all issued certificates.

AddtoCertCDP

AddtoCertOCSP 32

As with the CDP extensions, you can determine which check boxes to enable for each AIA extension by referencing the numbers in the Value column and adding the numbers.

You can define a CA's CDP URLs by using the certutil command to edit the CRL-PublicationURLs registry entry. The command allows you to designate one or more URLs, as well as which CRL publication options are enabled for each URL.

For example, consider the following certutil command that defines the CDP extension:

certutil -setreg CA\CRLPublicationURLs "1:%windir%\system32\CertSrv\ CertEnroll\%%3%%8%%9.crl\n2:http://www.fabrikam.com/CertData/%%3%%8%%9.crl\ n10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services,CN=Services,%%6%%10"

This command defines three separate URLs. The URL order is important when implementing Windows clients, as it defines the order in which the certificate chaining engine searches URLs when retrieving an updated CRL version. Likewise, the number that precedes each URL represents the enabled options for each URL.

■ 1:%windir%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl. This URL ensures that the CRL file is copied to the local file system every time the CRL is automatically or manually published.

■ 2:http://www.fabrikam.com/CertData/%%3%%8%%9.crl. This URL ensures that the URL www.fabrikam.com/CertData/%%3%%8%%9.crl is included in the CDP extension of all issued certificates.

■ 10:ldap:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key Services, CN=Services,%%6%%10. This URL enables two values: 2 to designate the CRL's publication point in Active Directory and 8 to include the CDP URL in all CA-issued certificates.

Note Each URL is separated by \n. This character combination is the line separation indicator used for multi-valued registry entries.

Note Notice that the variables used in the certutil commands are the same as those used in the CAPolicy.inf file. The only difference is that the variables are prefixed with %%, rather than %. The additional % character is an escape character required by certutil.

As with the CDP extension, you can modify the AIA extension to designate CA certificate publication points. This is accomplished by using the certutil command to modify the CACertPubhcattonURLs registry entry, as shown here:

::Modify the AIA Extension URLs certutil -setreg CA\CACertPublicationURLs "1:%windir%\system32\CertSrv\ CertEnroll\%%1_%%3%%4.crt\n2:http://www.fabrikam.com/CertData/

%%1_%%3%%4.crt\n2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11" The example places three entries in the registry value:

■ 1:%windir%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt Ensures that the CA certificate is published to the local file system.

■ 2:http://www.fabrikam.com/CertData/%%1_%%3%%4.crt. Ensures that the HTTP URL is included in the AIA extension of all issued certificates.

■ 2:ldap:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services, %%6%%11. Ensures that the LDAP URL is included in the AIA extension of all issued certificates.

Continue reading here: Defining Validity Periods for Issued Certificates

Was this article helpful?