How to Publish the CRL on a Separate Web Server

re: How to Publish the CRL on a Separate Web Server

Jrod — Fri, 03 Feb 2012 00:44:06 GMT

What is the web server is in a separate forest? Anything special I need to do? I am getting an error: AD CS Error: "The directory name is invalid." 0x8007010b (WIN32/HTTP:267)

re: How to Publish the CRL on a Separate Web Server

VaKim — Mon, 19 Sep 2011 11:43:14 GMT

Hi,

Is there a way to automatically copy the CRL file to the web server through HTTP, instead of file share?

re: How to Publish the CRL on a Separate Web Server

VaKim — Fri, 16 Sep 2011 19:53:52 GMT

I am wondering if we can automatically publish the CRL through http instead of file share?

re: How to Publish the CRL on a Separate Web Server

Vadims Podans — Thu, 10 Dec 2009 18:13:40 GMT

> Does it also need to be accessible over the internet for clients that cannot access the AIA publication location within the intranet?

yes. However I don't think that this is necessary to change AIA extension, because usually CA has certificates with 5 or more year of validity. So you may manually copy CA certs to remote server.

also I have another comment for this post. Consider to implement OCSP responder on WebServer. This will decrease a load to Web Server (in cases if your CRL size is more than 10-20kb.

re: How to Publish the CRL on a Separate Web Server

Vadims Podans — Thu, 10 Dec 2009 18:05:10 GMT

Hello tomt!

> how (where) can I specify the http url for the DELTA crl???

to CRL file name just add option <DeltaCRLAllowed>. This will add plus sign ('+') to Delta CRL. This option instructs the server to publish 2 (instead of 1) CRL files. Both CRL's will have the same name but DeltaCRL file will contain plus sign.

re: How to Publish the CRL on a Separate Web Server

Josh — Mon, 28 Sep 2009 22:28:23 GMT

Carol, Excellent post. What about the AIA? Does it also need to be accessible over the internet for clients that cannot access the AIA publication location within the intranet?

Thanks,

Josh

re: How to Publish the CRL on a Separate Web Server

Founda — Wed, 19 Aug 2009 20:41:01 GMT

Thats:

http://<FQDN_of_Web_Server>/<CRL_directory_name>/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

re: How to Publish the CRL on a Separate Web Server

Carol Bailey - MSFT — Thu, 13 Aug 2009 04:24:53 GMT

Thanks for your feedback Thomas, and I'm sorry it's taken me a while to investigate this. To publish the delta CRL, the instructions were missing the variable <DeltaCRLAllowed> in the paths, and I've now added this and updated the instructions.

As a rule, I'm not fond of adding variables in documentation when they are not needed for basic functionality, but this one is needed for delta CRLs. I also added <CaName> so that you can publish CRLs from different CAs into the same location (for example, you have a tiered CA hierarchy), and <CRLNameSuffix> according to best practices (http://technet.microsoft.com/en-us/library/dd379469(WS.10).aspx).

re: How to Publish the CRL on a Separate Web Server

thomas torggler — Fri, 12 Jun 2009 16:29:58 GMT

hi carol,

thank you for this great blog!

but I have one question: how (where) can I specify the http url for the DELTA crl??? I'm able to auto-update the full crl on a web server, but the delta crl is always trying to connect to the standard http url... is there a possibility to change this?

best reguards

thomas t.

How to Publish the CRL on a Separate Web Server

The Configuration Manager Support Team Blog — Tue, 05 May 2009 16:06:47 GMT

Just in case you missed it, Carol Bailey has another fantastic post over on this System Center Configuration