How to Publish the CRL on a Separate Web Server

How to Publish the CRL on a Separate Web Server

  • Comments 12
  • Likes

[Today's post is provided by Carol Bailey]

By default, an issuing enterprise CA publishes its certificate revocation list (CRL) to locations within the forest. When you are using Internet-based client management with Configuration Manager, there are scenarios where you might need to publish the CRL on a separate server, outside the forest. These scenarios include the following:

  • Your Internet-based site systems are in the DMZ but the issuing CA for the client computers is in a separate forest in the intranet.  These Internet-based site systems will not be able to access the CRL for clients connecting over the Internet.
  • Your Internet-based site systems are in the DMZ but the issuing CA for these servers is in a separate forest in the intranet.  When clients connect from the Internet and they are configured for CRL checking, they will not be able to access the CRL for the server certificates on the Internet-based site systems. 

In these Internet scenarios, it makes sense to publish a CRL that can be accessed over HTTP with an Internet FQDN.  If you already have a Web server in the DMZ that is configured for HTTP, it makes an ideal candidate because you just need to add an additional virtual directory - there's no need to add a host entry into your public DNS, or install and harden a new server to run IIS.  However, think twice about using a server running Internet-based site system roles because (with the exception of the fallback status point), these use HTTPS to help secure the server from unauthenticated access.  Certificate revocation lists cannot be accessed over HTTPS so to add HTTP access to one of your Internet-based site system servers would greatly increase the risk of an attacker connecting to this server.

Disclaimer:  The procedures in this blog post are external to Configuration Manager, so you will not find this information in the Configuration Manager product documentation.  However, we realize that PKI is often new to Configuration Manager admins, and aim to share our knowledge and experience to help you be more successful with the product. We would also like to pay tribute to the help and information provided by Amer Kamal and Mark Cooper, senior Premier Field Engineers who have designed and implemented CDPs for our customers.

CRLs (base and deltas) are published to CRL distribution points (CDPs).  So in our scenarios, the separate Web server in the DMZ will become a new CDP.  You can manually publish the CRL onto this new CDP, or you can automatically publish it.  Automatic publishing is a whole lot easier but requires a one-way trust from the Web server (CDP) in the DMZ to the CA server in the intranet, and uses SMB traffic for this connection (which you can secure with IPsec).  You would need to discuss the pros and cons of this design with your security guys.  On the plus side, the connection is initiated by the trusted network only and the automation helps to reduce the possibility of the CRL not being accessible (which in turn, results in a rejected PKI connection).  Manually publishing the CRL is the only option when there is no connectivity allowed between the intranet and the DMZ, and obviously carries a higher administrative overhead with a higher possibility of error.

If you are asking yourself how often the CRL gets published, you can view and configure the publication intervals for the base and delta CRLs, in the Certification Authority console.  Right-click Revoked Certificates, click Properties, and the publication intervals are on the CRL Publishing Parameters tab.  The default value for the base CRL publication is one week, and the default value for the delta CRL is one day.  For more information about these schedules and managing certification revocation, see the Certificate Services documentation, for example: Configuring Certificate Revocation.

If you are allowed some restricted access from the intranet to the DMZ, but this excludes connections directly from the CA server, you can adapt the procedures below such that you publish the CRL onto a new server in the intranet and then copy the files to the server in the DMZ - in other words, you automatically publish the CRL to a staging server in the intranet but computers access the CRL from another server in the DMZ.  Similarly, the manually publishing procedure below steps through copying the files using Explorer, but you can script this to help streamline the process for each CRL update.  Additionally, the command-line utility, Certutil.exe, can be used to publish the CRL.

When multiple CDPs are listed in a certificate, a connecting computer will try each in turn, until it finds an accessible CRL. Generally, you should list the CDPs in the order in which they are most frequently used.  For example, if the majority of the connecting clients were on the Internet, specifying the external HTTP CDP first would mean that these clients would not have to first try (and fail) to locate the CRL from intranet CDPs.  However, if the majority of your clients were on the intranet and only a minority of them on the Internet at a given time, specifying the internal CDPs before the external CDPs would make sense.  Unfortunately, there isn't a reorder option when configuring the CAs for the list of CDPs, so if you wanted to change the order in which clients tried each listed CDP, you would need to delete the existing entries and re-enter them for the required order.

In overview, the steps you will need to perform to publish the CRL onto a separate Web server include the following:

  1. On your separate server, configure IIS for a new virtual directory (or new Web site) that specifies the local folder that will contain the files for the CRL.  See the procedure To configure a separate Web server to publish the CRL.
  2. Publish the CRL onto the server either manually or automatically:
    • If you need to manually copy the files for the CRL rather than use a file share to do this automatically from the CA, see the procedure To manually publish the CRL on a separate server.
    • If you can automatically publish the CRL using a file share, see the procedure To automatically publish the CRL on a separate server.
  3. Configure the issuing CA with the new CDP.  See the procedure To specify the separate Web server as a CDP.
  4. Confirm that the CRL is accessible from the new CDP.  See the procedure To confirm CRL access.
  5. Confirm that the new CDP is specified in newly issued certificates.  See the procedure To confirm new certificates contain new CDP.

 

Procedures

To configure a separate Web server to publish the CRL

  1. On the Web server, load Internet Information Services (IIS) Manager
  2. Create a new virtual directory (or new Web site) with the following information:
    • Give it a name (alias) such as crl.
    • Select the local folder that will contain the CRL files - for example, C:\CRL.
    • Specify the directory access permissions of Read.

 

To manually publish the CRL on a separate server

  1. On the CA server, load Certification Authority, expand your CA, right-click Revoked Certificates, click All Tasks, and then click Publish.
  2. On the Publish CRL popup dialog box, ensure that New CRL is selected, and then click OK.
  3. Using Explorer, locate the folder that contains the CRL files. By default, these files are in %windir%\system32\certsrv\enroll but this location can be changed on the Extensions tab of the CA properties.
  4. Copy all the files with a .crl extension to removable media.
  5. On the Web server computer, create a new local folder to contain the CRL (for example, C:\CRL).
  6. Paste the files with the .crl extensions into this folder.

 

To automatically publish the CRL on a separate server

  1. Ensure that a trust relationship exists such that the Web Server trusts the CA Server.
  2. On the Web server computer, create a new local folder to contain the CRL files (for example, C:\CRL).
  3. Configure the folder with the following:
    • Share the folder, for example, with the share name of CRL.
    • Specify the share permissions of Read and Change to the CA server computer account.
    • Specify NTFS permissions of Read and Write to the CA server computer account.
  4. On the CA server, load Certification Authority, right-click your CA, select Properties, and then click the Extensions tab.
  5. Ensure that CRL Distribution Point (CDP) is selected, and then click Add.
  6. In the Add Location dialog box, type the following and then click OK: file://\\<servername>\<share>\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl  For example, if your Web server was called server2 and the folder share name you created for the CRL was called CRL, you would type file://\\server2\CRL\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
  7. Ensure that only the following options are selected for this new entry:
    • Publish CRLs to this location
    • Publish Delta CRLs to this location
  8. If you are prompted to restart Active Directory Certificate Services, click Yes.
  9. After the computer has restarted, load Certification Authority, expand your CA, right-click Revoked Certificates, click All Tasks, and then click Publish.
  10. On the Publish CRL popup dialog box, ensure that New CRL is selected, and then click OK.  If you do not see an error, check the folder on the Web server and confirm that it now contains one or more files with .crl extensions.  If you do see an error, it is likely that there is a syntax error or permissions error that must be corrected before the CRL can be published to the separate Web server.

 

To specify the separate Web server as a CDP

  1. On the CA server, load Certification Authority, right-click your CA, select Properties, and then click the Extensions tab.
  2. Ensure that CRL Distribution Point (CDP) is selected, and then click Add.
  3. In the Add Location dialog box, type the following and then click OK: http://<FQDN_of_Web_Server/<CRL_directory_name>/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl  For example, if your Web server was called server2.contoso.com and the virtual directory you created in IIS was called CRL, you would type http:// server2.contoso.com/crl/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
  4. Ensure that the following options are selected for this new entry:
    • Include in CRLs. Clients use this to find Delta CRL locations.
    • Include in the CDP extension of issued certificates
  5. Click OK.  If you are prompted to restart Active Directory Certificate Services, click Yes.

 

To confirm CRL access

  1. From a computer on the same network as the separate Web server, load a browser and type in the same CRL path that you specified in step 3 for the procedure "To specify the CRL on a separate Web server".  For example, if your Web server was called server2.contoso.com and the virtual directory you created in IIS was called crl, and your CA name was Contoso Root CA, you would type http:// server2.contoso.com/crl/contoso root ca.crl for the base CRL, and type http:// server2.contoso.com/crl/contoso root ca+.crl for the delta CRL.
  2. You should see a File Download dialog box, asking you whether you want to open or save this file.  Click Open.
  3. You should now see the Certificate Revocation List with a General tab and Revocation List tab.  On the General tab, the value for Issuer will be your CA server. On the Revocation List you will see any certificates that have been revoked by the CA.
  4. Click OK.

 

To confirm new certificates contain new CDP

  1. Request and issue a new certificate after you have completed the procedure "To specify the CRL on a separate Web server".
  2. On the requesting computer, load the Certificates MMC and locate the newly installed certificate.
  3. Double-click the certificate to view its properties.
  4. Click the Details tab and click the field CRL Distribution Points.
  5. View the values in this field.  There will be multiple CRL distribution points listed so scroll down until you see the HTTP CRL distribution point that you added (for example:  URL=http://server2.contoso.com/crl/Contoso%20Root%20CA.crl )

--Carol Bailey

This posting is provided "AS IS" with no warranties, and confers no rights.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • <p>Just in case you missed it, Carol Bailey has another fantastic post over on this System Center Configuration</p>

  • <p>hi carol,</p> <p>thank you for this great blog!</p> <p>but I have one question: how (where) can I specify the http url for the DELTA crl??? I'm able to auto-update the full crl on a web server, but the delta crl is always trying to connect to the standard http url... is there a possibility to change this?</p> <p>best reguards</p> <p>thomas t.</p>

  • <p>Thanks for your feedback Thomas, and I'm sorry it's taken me a while to investigate this. &nbsp;To publish the delta CRL, the instructions were missing the variable &lt;DeltaCRLAllowed&gt; in the paths, and I've now added this and updated the instructions. &nbsp;</p> <p>As a rule, I'm not fond of adding variables in documentation when they are not needed for basic functionality, but this one is needed for delta CRLs. &nbsp;I also added &lt;CaName&gt; so that you can publish CRLs from different CAs into the same location (for example, you have a tiered CA hierarchy), and &lt;CRLNameSuffix&gt; according to best practices (<a rel="nofollow" target="_new" href="http://technet.microsoft.com/en-us/library/dd379469">http://technet.microsoft.com/en-us/library/dd379469</a>(WS.10).aspx).</p>

  • <p>Thats: </p> <p>http://&lt;FQDN_of_Web_Server&gt;/&lt;CRL_directory_name&gt;/&lt;CaName&gt;&lt;CRLNameSuffix&gt;&lt;DeltaCRLAllowed&gt;.crl &nbsp;</p>

  • <p>Carol, &nbsp;Excellent post. &nbsp;What about the AIA? &nbsp;Does it also need to be accessible over the internet for clients that cannot access the AIA publication location within the intranet?</p> <p>Thanks,</p> <p>Josh</p>

  • <P>Hello tomt!</P> <P>&gt; how (where) can I specify the http url for the DELTA crl???</P> <P>to CRL file name just add option &lt;DeltaCRLAllowed&gt;. This will add plus sign ('+') to Delta CRL. This option instructs the server to publish 2 (instead of 1) CRL files. Both CRL's will have the same name but DeltaCRL file will contain plus sign.</P>

  • <P>&gt; Does it also need to be accessible over the internet for clients that cannot access the AIA publication location within the intranet?</P> <P>yes. However I don't think that this is necessary to change AIA extension, because usually CA has certificates with 5 or more year of validity. So you may manually copy CA certs to remote server.</P> <P>also I have another comment for this post. Consider to implement OCSP responder on WebServer. This will decrease a load to Web Server (in cases if your CRL size is more than 10-20kb.</P>

  • <p>I am wondering if we can automatically publish the CRL through http instead of file share?</p>

  • <p>Hi,</p> <p>Is there a way to automatically copy the CRL file to the web server through HTTP, instead of file share?</p>

  • <p>What is the web server is in a separate forest? &nbsp;Anything special I need to do? &nbsp;I am getting an error: &nbsp;AD CS Error: &quot;The directory name is invalid.&quot; 0x8007010b (WIN32/HTTP:267)</p>

  • <p>When I &nbsp;Configure Internet-based site systems for SCCM ,do DP、SUP need to &nbsp;publish the CRL?</p>

  • <p>bravo !</p>