IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

2.5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA

Hello, you guys, security administrators!

We just discovered another best-practice for our PKI ADCS system about preparing CDPs/CRL publishing before we go production via the episode "Examine the default CDPs and configure the certificate revocation list publication interval".

[00:03] "Configuring Certificate Revocation" – technet.microsoft.com


https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771079(v=ws.11)

You may see that it is an optional process in the virtual test lab, but actually, it is a vital key in our PKI real-life functioning.

It helps to ensure a subject which is associated with a certificate will remain isolated when its certificate becomes untrustworthy.

Although we automated the Certificate Revocation List publishing process by setting appropriate schedules, in some situation, we still need to publish the CRL manually so that we can achieve its benefits.

[00:14] For instance, we open the Certificate Authority certsrv console in the Standalone Root CA DC WS 2008 R2; then navigate through the Revoked Certificates section.

2 5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

[00:14] "Creating a Two Tier PKI With Windows 2008r2" – blog.ittoby.com


https://blog.ittoby.com/2012/04/creating-two-tier-pki-windows-2008r2.html

There are 2 types of CRL to be published:

– Regular/Base CRL: a complete CRL, which contains up-to-date revocation information for the CA.

– Delta CRL: an abbreviated version of the CRL, which contains only the updates to the CRL that have been made since the last time it was published.

In this case, the Publish CRL dialog will inform that "The latest published Certificate Revocation List (CRL) is still valid. Clients may not receive a new CRL until after their current one expires.

That's because we just built the PKI and configured CDP settings so that a CRL publishing taken place.

Moreover, the Delta CRL only box is grayed out, or you should not build it due to, there is no base CRL has previously been published or simply there are no changes in Revoked Certificates so that it can build that auxiliary list.

Because CRLs can become large, depending on the number of certificates issued and revoked by a CA, you can also publish smaller, interim CRLs called delta CRLs. Delta CRLs contain only the certificates revoked since the last regular CRL was published. This allows clients to retrieve the smaller delta CRL and more quickly build a complete list of revoked certificates.

[00:33]
[00:34] This process remains the same across Certificate Authority types: Enterprise/Standalone.

2 5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

Let's switch to the subordinate CA WS 2008 R2.

[00:41] "CRL, Delta CRL and manual publishing in a simple environment" – inetworksteve.com

2 5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

http://bit.ly/CRL-Delta-manual-publish

[00:44] Navigate through the Extensions with CRL Distribution Point (CDP) is selected of CA Properties.

2 5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

[00:46] "Specify CRL Distribution Points" – technet.microsoft.com


https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753296(v=ws.11)

[00:51] Make sure at least one CDP is configured with "Publish CRLs/Delta CRLs to this location."
[00:54] The delta CRLs are not written to the location as it is an HTTP location.
[00:56] "Unexpected DeltaCRL Location Seen" – social.technet.microsoft.com

2 5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

http://bit.ly/unexpect-deltaCRL-loc-TN

With the LDAP CDP, you can utilize features that can boost availability, redundancy, reliability of our CRL publishing as mentioned in the previous episode:

– Include in all CRLs. Specifies where to publish in the Active Directory when publishing manually.

– Include in CRLs. Clients use this to find Delta CRL locations.

– Include in the CDP extension of issued certificates.

– Include in the IDP extension of issued CRLs.

Furthermore, LDAP is integrated with Active Directory.

[01:07] "How to Publish New Certificate Revocation List (CRL) from Offline Root CA to Active Directory and Inetpub" – itcalls.blogspot.com

2 5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

https://web.archive.org/web/20180928085245/http://itcalls.blogspot.com/2013/08/how-to-publish-new-certificate.html

[01:11] Now, let's publish a Base CRL then review it through the

http protocol by utilizing Internet Explorer.

2 5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

[01:26] "Use recommended security and compatibility settings" for the Setup Internet Explorer 9 dialog firstly.

2 5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

[01:35] "Designing CRL Distribution Points and Authority Information Access locations" – sysadmins.lv

2 5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

https://www.sysadmins.lv/blog-en/designing-crl-distribution-points-and-authority-information-access-locations.aspx

[01:40]
[01:43] Firstly, take a look at Internet Information Services (IIS) Manager to see that an ASP app that was built during sCA+Web Enrollment setup.

2 5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

A CertEnroll folder is where to access our CRLs.

[02:00] "Configure CRL and Delta CRL Overlap Periods" – technet.microsoft.com

2 5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731104(v=ws.11)

[02:10] Basically, CertEnroll is an alias for C:\Windows\System32\certsrv\CertEnroll so that we can't find on .\inetpub\wwwroot

2 5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

[02:22] Internet Explorer Enhanced Security Configuration is enabled, and we must add web server's address into the Trusted sites zone.

2 5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

[02:29] "Certificate Revocation Checking in Windows Vista and Windows Server 2008" – technet.microsoft.com

2 5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee619730(v=ws.10)

[02:34] "Windows 2008 PKI / Certificate Authority (AD CS) basics" – corelan.be

2 5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

https://www.corelan.be/index.php/2008/07/14/windows-2008-pki-certificate-authority-ad-cs-basics/

[02:42] "Best Practices Rules and Baselines for Windows Server 2012 AD Certificate Authority" – taos.com

2 5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

https://web.archive.org/web/20160803063629/https://www.taos.com/2014/03/14/best-practices-rules-and-baselines-for-windows-server-2012-ad-certificate-authority/

Be appended with a "+" sign at the end, we know it is a Delta CRL.

(You must configure IIS to allow DoubleEscaping in Request Filtering so that this file can be downloaded).

You can open this CRL to see: Version, Issuer, Effective date, Next update, Signature hash algorithm, Authority Key Identifier, CA Version, CRL Number, Next CRL Publish, Published CRL Locations, Delta CRL Indicator.

[02:58] "How to Examine any Certificate Revocation List in Windows with Certutil" – blogs.interfacett.com

2 5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

https://www.interfacett.com/blogs/how-to-examine-any-certificate-revocation-list-in-windows-with-certutil/

[03:01] We have not revoked any certificate yet, so the Revocation List is empty, otherwise, we can inspect Serial number, Revocation date, etc. of Revoked Certificates.

2 5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

Well done, we just finished the last piece of foundation theories of Windows Server PKI with CDP/CRL.

It is one of the mechanisms to ensure the trustworthy of certificate subjects behind its successor OCSP.

A single CRL file with its related components to build from plays a big role in ensuring the integrity of whole PKI!

[03:09] "Public Key Infrastructure Part 8 – OCSP responder" – tech-coffee.net

2 5 Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA | IIAMWAD-Implementing Identity and Access Management in Windows Server Active Directory

http://www.tech-coffee.net/public-key-infrastructure-part-8-ocsp-responder/

Do not forget to follow my included links about best-practices, step-by-step guides, notes, etc.!

Keep track on my next series about "Configuring Active Directory Certificate Services Certificates" to see the real application of PKI in production: user issuance requests, auto enrollments, purposeful certificates, etc.

[03:12]
[SHAZAM]


http://shazam.marvel-it.icu/s=5f6f1120&f=s9J9ExCQ

[YOUTUBE]

Publish the Certificate Revocation List manually CDP Base Delta CRL Windows Server 2008 R2 PKI CA

Tags

Related Articles

Back to top button