CRL Distribution Point on http://pki.companyname.com/certdata

  • Thread starter Thread starter booster
  • Start date Start date
B

booster

Guest
Hello

Just installed a 2 tier PKI with Offline Root CA and 1 online issuing CA
with the WebComponents.

Everything works, PKI View ist all Green.

But, what if a new CRL is published ? LDAP publishing works, the new CRL is
published.
The http location is not updated, it's a manually created directory and
available on the IIS as virtual directory. the *.crl's are not updated there,
do i have to copy the new published crls from
c:\windows\system32\certsrv\certenroll ???

Or did i miss something ?

Regards.

booster
--
~~~~~~~~~~~~~~~~~~~~
...is an MCSE 2003 and MCDBA
~~~~~~~~~~~~~~~~~~~~
 
Re: CRL Distribution Point on http://pki.companyname.com/certdata

If I am not mistaken, you are indeed obligated to manually publish it. I am
not aware of an automated manner with an offline root, so pleace correct me
when I'm wrong. You can however, always automate it yourself with scripting
if the machine is still physically connected to the LAN, but with the
certificate services stopped, or even powered down, but of course this
lowers the level of trust for your CA compared with a fully offline and
possibly vaulted offline root CA.

In order to update the CRL you can indeed copy the CRL from
\%windir%\system32\CertSrv\CertEnroll\CAname.crl to your distribution
points. It is best to make this a recurring task, and to include this in
your Certificate Practice Statement.

--

Jon Holvoet
MCSA / MCSE Security
Comptia Security+
CISSP


"booster" <booster@discussions.microsoft.com> wrote in message
news:ADFD5604-AD56-4A11-A827-B7AD3AC89F93@microsoft.com...
> Hello
>
> Just installed a 2 tier PKI with Offline Root CA and 1 online issuing CA
> with the WebComponents.
>
> Everything works, PKI View ist all Green.
>
> But, what if a new CRL is published ? LDAP publishing works, the new CRL
> is
> published.
> The http location is not updated, it's a manually created directory and
> available on the IIS as virtual directory. the *.crl's are not updated
> there,
> do i have to copy the new published crls from
> c:\windows\system32\certsrv\certenroll ???
>
> Or did i miss something ?
>
> Regards.
>
> booster
> --
> ~~~~~~~~~~~~~~~~~~~~
> ..is an MCSE 2003 and MCDBA
> ~~~~~~~~~~~~~~~~~~~~
>
 
Re: CRL Distribution Point on http://pki.companyname.com/certdata

Thank you Jon,
that's what i suspected.
Of course, the CRL of the offline RootCA has to be published manually. We
will do this every 180 days.

Anyway, the CRL of the online issuing CA is published every 12 hours, and
this publishing works fine for LDAP publishing.
And i think, the publishing of the "public" http adress has to be done with
a scheduled script...

Other inputs out there ?

booster
~~~~~~~~~~~~~~~~~~~~
...is an MCSE 2003 and MCDBA
~~~~~~~~~~~~~~~~~~~~



"Jon Holvoet" wrote:

> If I am not mistaken, you are indeed obligated to manually publish it. I am
> not aware of an automated manner with an offline root, so pleace correct me
> when I'm wrong. You can however, always automate it yourself with scripting
> if the machine is still physically connected to the LAN, but with the
> certificate services stopped, or even powered down, but of course this
> lowers the level of trust for your CA compared with a fully offline and
> possibly vaulted offline root CA.
>
> In order to update the CRL you can indeed copy the CRL from
> \%windir%\system32\CertSrv\CertEnroll\CAname.crl to your distribution
> points. It is best to make this a recurring task, and to include this in
> your Certificate Practice Statement.
>
> --
>
> Jon Holvoet
> MCSA / MCSE Security
> Comptia Security+
> CISSP
>
>
> "booster" <booster@discussions.microsoft.com> wrote in message
> news:ADFD5604-AD56-4A11-A827-B7AD3AC89F93@microsoft.com...
> > Hello
> >
> > Just installed a 2 tier PKI with Offline Root CA and 1 online issuing CA
> > with the WebComponents.
> >
> > Everything works, PKI View ist all Green.
> >
> > But, what if a new CRL is published ? LDAP publishing works, the new CRL
> > is
> > published.
> > The http location is not updated, it's a manually created directory and
> > available on the IIS as virtual directory. the *.crl's are not updated
> > there,
> > do i have to copy the new published crls from
> > c:\windows\system32\certsrv\certenroll ???
> >
> > Or did i miss something ?
> >
> > Regards.
> >
> > booster
> > --
> > ~~~~~~~~~~~~~~~~~~~~
> > ..is an MCSE 2003 and MCDBA
> > ~~~~~~~~~~~~~~~~~~~~
> >
>
>
>
 
Re: CRL Distribution Point on http://pki.companyname.com/certdata

I have always done it with a scheduled tasks

Base CRL:

certutil -crl
sleep 5
Copy %windir%\system32\certsrv\certenroll\*.cr? \\targetserver\share

Delta CRL:

certutil -crl delta
sleep 5
Copy %windir%\system32\certsrv\certenroll\*.cr? \\targetserver\share

Here are the caveats:
1) The account that runs the scheduled tasks must be
- Assigned the Manage CA permission at the CA (allows publication of a new
CRL
- Be assigned write permissions to the share on the target server
- Be assigned Read and Modify NTFS permissions

2) You can use *any* transfer protocol. We have used SSH, RCP, SCP, FTP,
Robocopy, Xcopy, Copy for the transfer line. You just need to set it up to
meet the security requirements of your org. It does not have to be copied to
a windows server.

3) Set the scheduled task to execute at your required CRL publication
interval.

Brian

"booster" <booster@discussions.microsoft.com> wrote in message
news:DA9B94F1-B9D0-4F17-9F73-603949471408@microsoft.com...
> Thank you Jon,
> that's what i suspected.
> Of course, the CRL of the offline RootCA has to be published manually. We
> will do this every 180 days.
>
> Anyway, the CRL of the online issuing CA is published every 12 hours, and
> this publishing works fine for LDAP publishing.
> And i think, the publishing of the "public" http adress has to be done
> with
> a scheduled script...
>
> Other inputs out there ?
>
> booster
> ~~~~~~~~~~~~~~~~~~~~
> ..is an MCSE 2003 and MCDBA
> ~~~~~~~~~~~~~~~~~~~~
>
>
>
> "Jon Holvoet" wrote:
>
>> If I am not mistaken, you are indeed obligated to manually publish it. I
>> am
>> not aware of an automated manner with an offline root, so pleace correct
>> me
>> when I'm wrong. You can however, always automate it yourself with
>> scripting
>> if the machine is still physically connected to the LAN, but with the
>> certificate services stopped, or even powered down, but of course this
>> lowers the level of trust for your CA compared with a fully offline and
>> possibly vaulted offline root CA.
>>
>> In order to update the CRL you can indeed copy the CRL from
>> \%windir%\system32\CertSrv\CertEnroll\CAname.crl to your distribution
>> points. It is best to make this a recurring task, and to include this in
>> your Certificate Practice Statement.
>>
>> --
>>
>> Jon Holvoet
>> MCSA / MCSE Security
>> Comptia Security+
>> CISSP
>>
>>
>> "booster" <booster@discussions.microsoft.com> wrote in message
>> news:ADFD5604-AD56-4A11-A827-B7AD3AC89F93@microsoft.com...
>> > Hello
>> >
>> > Just installed a 2 tier PKI with Offline Root CA and 1 online issuing
>> > CA
>> > with the WebComponents.
>> >
>> > Everything works, PKI View ist all Green.
>> >
>> > But, what if a new CRL is published ? LDAP publishing works, the new
>> > CRL
>> > is
>> > published.
>> > The http location is not updated, it's a manually created directory and
>> > available on the IIS as virtual directory. the *.crl's are not updated
>> > there,
>> > do i have to copy the new published crls from
>> > c:\windows\system32\certsrv\certenroll ???
>> >
>> > Or did i miss something ?
>> >
>> > Regards.
>> >
>> > booster
>> > --
>> > ~~~~~~~~~~~~~~~~~~~~
>> > ..is an MCSE 2003 and MCDBA
>> > ~~~~~~~~~~~~~~~~~~~~
>> >
>>
>>
>>
 
Re: CRL Distribution Point on http://pki.companyname.com/certdata

Hello Brian

Thank you very much !
So i was right ;-)

Stephan
--
~~~~~~~~~~~~~~~~~~~~
...is an MCSE 2003 and MCDBA
~~~~~~~~~~~~~~~~~~~~



"Brian Komar" wrote:

> I have always done it with a scheduled tasks
>
> Base CRL:
>
> certutil -crl
> sleep 5
> Copy %windir%\system32\certsrv\certenroll\*.cr? \\targetserver\share
>
> Delta CRL:
>
> certutil -crl delta
> sleep 5
> Copy %windir%\system32\certsrv\certenroll\*.cr? \\targetserver\share
>
> Here are the caveats:
> 1) The account that runs the scheduled tasks must be
> - Assigned the Manage CA permission at the CA (allows publication of a new
> CRL
> - Be assigned write permissions to the share on the target server
> - Be assigned Read and Modify NTFS permissions
>
> 2) You can use *any* transfer protocol. We have used SSH, RCP, SCP, FTP,
> Robocopy, Xcopy, Copy for the transfer line. You just need to set it up to
> meet the security requirements of your org. It does not have to be copied to
> a windows server.
>
> 3) Set the scheduled task to execute at your required CRL publication
> interval.
>
> Brian
>
> "booster" <booster@discussions.microsoft.com> wrote in message
> news:DA9B94F1-B9D0-4F17-9F73-603949471408@microsoft.com...
> > Thank you Jon,
> > that's what i suspected.
> > Of course, the CRL of the offline RootCA has to be published manually. We
> > will do this every 180 days.
> >
> > Anyway, the CRL of the online issuing CA is published every 12 hours, and
> > this publishing works fine for LDAP publishing.
> > And i think, the publishing of the "public" http adress has to be done
> > with
> > a scheduled script...
> >
> > Other inputs out there ?
> >
> > booster
> > ~~~~~~~~~~~~~~~~~~~~
> > ..is an MCSE 2003 and MCDBA
> > ~~~~~~~~~~~~~~~~~~~~
> >
> >
> >
> > "Jon Holvoet" wrote:
> >
> >> If I am not mistaken, you are indeed obligated to manually publish it. I
> >> am
> >> not aware of an automated manner with an offline root, so pleace correct
> >> me
> >> when I'm wrong. You can however, always automate it yourself with
> >> scripting
> >> if the machine is still physically connected to the LAN, but with the
> >> certificate services stopped, or even powered down, but of course this
> >> lowers the level of trust for your CA compared with a fully offline and
> >> possibly vaulted offline root CA.
> >>
> >> In order to update the CRL you can indeed copy the CRL from
> >> \%windir%\system32\CertSrv\CertEnroll\CAname.crl to your distribution
> >> points. It is best to make this a recurring task, and to include this in
> >> your Certificate Practice Statement.
> >>
> >> --
> >>
> >> Jon Holvoet
> >> MCSA / MCSE Security
> >> Comptia Security+
> >> CISSP
> >>
> >>
> >> "booster" <booster@discussions.microsoft.com> wrote in message
> >> news:ADFD5604-AD56-4A11-A827-B7AD3AC89F93@microsoft.com...
> >> > Hello
> >> >
> >> > Just installed a 2 tier PKI with Offline Root CA and 1 online issuing
> >> > CA
> >> > with the WebComponents.
> >> >
> >> > Everything works, PKI View ist all Green.
> >> >
> >> > But, what if a new CRL is published ? LDAP publishing works, the new
> >> > CRL
> >> > is
> >> > published.
> >> > The http location is not updated, it's a manually created directory and
> >> > available on the IIS as virtual directory. the *.crl's are not updated
> >> > there,
> >> > do i have to copy the new published crls from
> >> > c:\windows\system32\certsrv\certenroll ???
> >> >
> >> > Or did i miss something ?
> >> >
> >> > Regards.
> >> >
> >> > booster
> >> > --
> >> > ~~~~~~~~~~~~~~~~~~~~
> >> > ..is an MCSE 2003 and MCDBA
> >> > ~~~~~~~~~~~~~~~~~~~~
> >> >
> >>
> >>
> >>
>
>
 

Similar threads

R
PKI CRL LDAP location exposes infos about internal DS structure toexternal customers
Replies
2
Views
137
S. Pidgorny
S
R
PKI CA CRL Extension: "Inlcude in all CRLs"
Replies
2
Views
135
Reinhard Henke
R
R
ldap distribution point
Replies
0
Views
168
ritchie1230@gmail.com
R
B
Help PKI installation - lots of questions !
Replies
5
Views
227
BZP
B
Back
Top