With previous parts about AD CS, our virtual test lab is ready to be used for certificate issuances with the 2-Tier PKI taken place.
Moreover, with subordinate CA and its Web Enrollment app, this process becomes even more robustly.
However, in the real scenario, what do you do if a certificate becomes untrustworthy as a security credential before its scheduled expiration?
(certificate subject's private key got compromised, Hacked-root CA, etc. or simply changes in the name of the certificate subject).
[00:11] It's time to use the CRL Distribution Point extension to tell clients/servers where to retrieve CRL list's URLs about revoked certificates so that these associated subjects can be isolated.
I put this episode about "Publishing the Certificate Revocation List" right after "Installing and Configuring Active Directory Certificate Services Server Role" to remind you that this info will be embedded into certificates when they are issued, so this CDP Extension must be configured beforehand properly.
Otherwise, you must re-issued all of them by using extra supersede templates.
[00:22] Moreover, in production, this process must be happened as soon as possible, because we are dealing with compromises/attacks/security.
[00:26] First of all, let's examine the default CDPs and configure the certificate revocation list publication interval.
[00:34] For instance, on this Standalone Root CA WS 2008 R2, let's open the Certificate Authority certsrv console.
Then navigate through the Extensions tab of the Server Properties.
[00:40] Select extension: CRL Distribution Point (CDP) and you can observe/specify locations from which users can obtain a certificate revocation list (CRL).
[00:47] "Configuring Certificate Revocation" – technet.microsoft.com
By default, the AIA (crt) file is saved under \\SnoOpy-Server\c$\Windows\System32\certsrv\CertEnroll. If you don't modify the default CDP (CRL Distribution Point) settings, then the crl files will be stored in this folder as well.
[01:41] "Specify CRL Distribution Points" – technet.microsoft.com
[01:49] "Windows Server 2008 PKI and Certificate Security" – books.google.com
[01:54] The next one is LDAP, this distribution point will be integrated with Active Directory so that the redundancy/availability can be achieved.
[02:16] Nowadays, the file:// protocol in delivering CRLs is deprecated,
http:// should be the first choice because it's compatible with almost OS platform as well as the AD-independent characteristic.
You may see that these URLs will be built up from variables: CaName, CRLNameSuffix, DeltaCRLAllowed, ServerShortName, etc.
Note: regardless of what type of PKI you deploy or how many CAs make up your PKI, the CDP is unique to the CA that issues the certificate. For that reason, the variables used in the CDP definition – will always find the CA that issued the certificate, regardless of what the literal values represented in the CDP variables.
[02:31] "Creating a Certificate Revocation List Distribution Point for Your Internal Certification Authority" – blogs.technet.microsoft.com
You can add CDP points then decide to enable components publishing into them later with these checkboxes.
Note that, based on characteristics of protocols, not all these features are available (greyed out).
"Publish CRLs to this location": enable the publishing for this place.
(Identifies locations to which the CA should automatically publish the physical CRL files.)
"Include in all CRLs. Specifies where to publish in the Active Directory when publishing manually": only available for ldap://, it forces other CRLs to include AD location for further integration as well as to hint client to look up this ldap:// in case the first one fails.
"Include in all CRLs. Clients use this to find Delta CRL locations": place a URL for delta CRL retrieval in a base CRL. This publication point is stored in the freshest CRL extension of a CRL and is retrieved only during the CRL checking process.
"Include in the CDP extension of issued certificates": places a URL in the CDP extension of a CRL issued by the CA to allow the relying party certificate chaining engine to download the latest CRL version if the current version has expired.
[02:53] "Publish Delta CRLs to this location": If the CA is configured to enable delta CRLs, the delta CRL files are automatically published to this location.
"Include in the IDP extension of issued CRLs": used by non-Windows clients to determine the scope of the CRL. The source
can include end-entity certificates only, CA certificates only, attribute certificate only, or a limited set of reason codes.
To schedule the publication of the CRL:
1 Open the Certification Authority snap-in.
2 In the console tree, click Revoked Certificates.
3 On the Action menu, click Properties.
4 In CRL publication interval, type the increment and click the unit of time to use for the automatic publishing of the CRL.
You must establish a regular publication schedule for certificate revocation data so that a highly accurate certificate revocation list (CRL) is always available to clients.
Remember that, we are working with a hierarchical PKI of our AD domain, so that the CA certsrv console from the Root CA used to manage Subordinate CAs (Tier 1), and we use SCAs to manage end clients of the security infrastructure.
[03:01] "Schedule Publication of Certificate Revocation Lists" – technet.microsoft.com
[03:03] "Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy" – technet.microsoft.com
We now know about CDP, what is CRLs, how to configure them, and their relations in a properly PKI.
The next part about: "Publish the certificate revocation list manually" will help you in that situation as well as further notes about CRL configuring.