Windows Certificate Services – Setting up a CRL

KB ID 0000957

Problem

One of the often overlooked tasks of a PKI deployment is setting your Certificate Services CRL. For smaller deployments, with only one server then you don’t have to worry about how this will be designed (though a CRL does not have to be hosted on a Certificate Services server). In my test environment I only have one PKI server so everything will be going on that one box, In more complex environments you may have multiple root and subordinate PKI servers writing to your CRL (you may even have multiple CRL’s).

Solution

I would consider this a ‘post’ certificate services install task, so I’m assuming you already have that installed and configured.

1. Launch the Certification Authority management console > Right click the server-name > Properties > Extensions tab.

PKI Properties

2. With CRL selected > Add > Type into the location http://crl.{your-domain-name}.{your-domain-extension}/crld

Note: You can use https:// but you may need to add a certificate in IIS manager and select ‘require TLS’ for the crld virtual directory.

Correct CRL URL

3. In the variable section, select then ‘Insert’ the following onto the end of the URL;

  • <CaName>
  • <CRLNameSuffix>
  • <DeltaCRLAllowed>

Finally end the URL with .crl > OK.

Note: Is ‘should’ look like http://{FQDN-Of-Server}/crld/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl

http CRL Path

4. With the CRL entry you have just created selected > Enable the following two options;

  • Include in CRL’s. Clients use this to find Delta CRL locations.
  • Include in the CDP extension of issues certificates.

Apply > OK > Yes.

Delta CRL

5. Change the ‘Select extension’ drop down to ‘CRL Distribution Point (CDP)’ > Add > Type in a UNC path as follows ‘{Server-name}crldist$ > Then select and inset the variables onto the end of the path, (like you did above);

  • <CaName>
  • <CRLNameSuffix>
  • <DeltaCRLAllowed>

And then (as above) add .crl onto the end of the path > OK.

CEL Distribution Point

6. With the CDP selected > Select the following options;

  • Publish CRL’s to this location
  • Publish Delta CRL’s to this location

Apply > OK > Yes.

Publish CRL Windows 2012

Windows DNS Requirements for CRL

7. So that your clients can resolve the name of the CRL you have just created, they need to be able to resolve the name you just created. On your DNS server open the DNS management console > Expand server-name > Forward Lookup Zones > {your-domain-name} > Right click > New Host (A or AAAA) > name crl > IP address = The IP address of the IIS server that will host the CRL > Add Host > Close DNS Manager.

DNS entry for CRL

Windows IIS Requirements for CRL

8. On the web server, open the Internet Information Services (IIS) Manager console > Expand and select your server-name > right click > Add Virtual Directory >Set the alias to CRLD.

Note: in IIS URL’s are not case sensitive.

CRL Virtual Directory in IIS

9. Under ‘Physical path’ select the browse button > Select the C: Drive, (or another drive if you wish) > Make New Folder > Call the folder CRLDist > OK > OK.

CRL Folder

10. Select server-name > Directory Browsing

Note: If you are serving other services from this web server, you might wish to only set directory browsing on the CRLD virtual directory.

IIS 2012 Directory Browsing

11. Enable.

Enable Web Directory Browsing in IIS8

12. Select the CRLD directory (Click refresh if you cant see it) > Configuration Editor.

IIS Configuration Editor

13. Navigate to System.webServer > security > RequestFiltering.


Request Filtering Updated

Note: On older versions of IIS, it’s under ‘System.webServer > security > authentication > RequestFiltering.’

Edit Virtual Directory

14. Change allowDoubleEscaping to ‘True’ > Apply.

allowDoubleEscaping

Windows Folder Permission Requirements for CRL

15. Navigate to the folder you just created (i.e C:CRLDist) > Right Click > Properties > Sharing > Advanced Sharing > Select ‘Share this folder’ > Add a dollar symbol to the end of its name i.e. CRLDist$.

Note: This simply creates a ‘hidden’ share, that cannot be seen when browsing the server shares.

CRL Share

Note: In Addition, Set the Windows NTFS Permissions for the Server(s) to Full Control also.

16. Permissions > Object Types > Add in Computers > OK > Enter the name of the server(s) that need to write to the CRL > OK.

CRL Share Permissions

17. Grant the Full Control permission to the sever(s) you just added > Apply > OK.

Server Permissions for CRL

18. Back at the Certificate Services server > Launch the Certification Authority management console > Revoked Certificates > Right click > All Tasks > Publish > New CRL > OK.

Publish a CRL IIS8

19. If you check the folder you created earlier, you will see it now contains the CRL files.

CRL Files

Related Articles, References, Credits, or External Links

Microsoft Certificate Services Configuring OCSP

Publish CRL Error – Access Denied 0x80070005

Author: Migrated

Share This Post On