Windows Certificate Services – Setting up a CRL

KB ID 0000957

Problem

One of the often overlooked tasks of a PKI deployment is setting your Certificate Services CRL. For smaller deployments, with only one server then you don’t have to worry about how this will be designed (though a CRL does not have to be hosted on a Certificate Services server). In my test environment I only have one PKI server so everything will be going on that one box, In more complex environments you may have multiple root and subordinate PKI servers writing to your CRL (you may even have multiple CRL’s).

Solution

I would consider this a ‘post’ certificate services install task, so I’m assuming you already have that installed and configured.

1. Launch the Certification Authority management console > Right click the server-name > Properties > Extensions tab.

2. With CRL selected > Add > Type into the location http://crl.{your-domain-name}.{your-domain-extension}/crld

Note: You can use https:// but you may need to add a certificate in IIS manager and select ‘require TLS’ for the crld virtual directory.

3. In the variable section, select then ‘Insert’ the following onto the end of the URL;

  • <CaName>
  • <CRLNameSuffix>
  • <DeltaCRLAllowed>

Finally end the URL with .crl > OK.

Note: Is ‘should’ look like http://{FQDN-Of-Server}/crld/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl

4. With the CRL entry you have just created selected > Enable the following two options;

  • Include in CRL’s. Clients use this to find Delta CRL locations.
  • Include in the CDP extension of issues certificates.

Apply > OK > Yes.

5. Change the ‘Select extension’ drop down to ‘CRL Distribution Point (CDP)’ > Add > Type in a UNC path as follows ‘{Server-name}crldist$ > Then select and inset the variables onto the end of the path, (like you did above);

  • <CaName>
  • <CRLNameSuffix>
  • <DeltaCRLAllowed>

And then (as above) add .crl onto the end of the path > OK.

6. With the CDP selected > Select the following options;

  • Publish CRL’s to this location
  • Publish Delta CRL’s to this location

Apply > OK > Yes.

Windows DNS Requirements for CRL

7. So that your clients can resolve the name of the CRL you have just created, they need to be able to resolve the name you just created. On your DNS server open the DNS management console > Expand server-name > Forward Lookup Zones > {your-domain-name} > Right click > New Host (A or AAAA) > name crl > IP address = The IP address of the IIS server that will host the CRL > Add Host > Close DNS Manager.

Windows IIS Requirements for CRL

8. On the web server, open the Internet Information Services (IIS) Manager console > Expand and select your server-name > right click > Add Virtual Directory >Set the alias to CRLD.

Note: in IIS URL’s are not case sensitive.

9. Under ‘Physical path’ select the browse button > Select the C: Drive, (or another drive if you wish) > Make New Folder > Call the folder CRLDist > OK > OK.

10. Select server-name > Directory Browsing

Note: If you are serving other services from this web server, you might wish to only set directory browsing on the CRLD virtual directory.

11. Enable.

12. Select the CRLD directory (Click refresh if you cant see it) > Configuration Editor.

13. Navigate to System.webServer > security > RequestFiltering.


Note: On older versions of IIS, it’s under ‘System.webServer > security > authentication > RequestFiltering.’

14. Change allowDoubleEscaping to ‘True’ > Apply.

Windows Folder Permission Requirements for CRL

15. Navigate to the folder you just created (i.e C:CRLDist) > Right Click > Properties > Sharing > Advanced Sharing > Select ‘Share this folder’ > Add a dollar symbol to the end of its name i.e. CRLDist$.

Note: This simply creates a ‘hidden’ share, that cannot be seen when browsing the server shares.

Note: In Addition, Set the Windows NTFS Permissions for the Server(s) to Full Control also.

16. Permissions > Object Types > Add in Computers > OK > Enter the name of the server(s) that need to write to the CRL > OK.

17. Grant the Full Control permission to the sever(s) you just added > Apply > OK.

18. Back at the Certificate Services server > Launch the Certification Authority management console > Revoked Certificates > Right click > All Tasks > Publish > New CRL > OK.

19. If you check the folder you created earlier, you will see it now contains the CRL files.

Related Articles, References, Credits, or External Links

Microsoft Certificate Services Configuring OCSP

Publish CRL Error – Access Denied 0x80070005