Hello, you guys, security administrators!
We just discovered another best-practice for our PKI ADCS system about preparing CDPs/CRL publishing before we go production via the episode "Examine the default CDPs and configure the certificate revocation list publication interval".
[00:03] "Configuring Certificate Revocation" – technet.microsoft.com
You may see that it is an optional process in the virtual test lab, but actually, it is a vital key in our PKI real-life functioning.
It helps to ensure a subject which is associated with a certificate will remain isolated when its certificate becomes untrustworthy.
Although we automated the Certificate Revocation List publishing process by setting appropriate schedules, in some situation, we still need to publish the CRL manually so that we can achieve its benefits.
[00:14] For instance, we open the Certificate Authority certsrv console in the Standalone Root CA DC WS 2008 R2; then navigate through the Revoked Certificates section.
[00:14] "Creating a Two Tier PKI With Windows 2008r2" – blog.ittoby.com
There are 2 types of CRL to be published:
– Regular/Base CRL: a complete CRL, which contains up-to-date revocation information for the CA.
– Delta CRL: an abbreviated version of the CRL, which contains only the updates to the CRL that have been made since the last time it was published.
In this case, the Publish CRL dialog will inform that "The latest published Certificate Revocation List (CRL) is still valid. Clients may not receive a new CRL until after their current one expires.
That's because we just built the PKI and configured CDP settings so that a CRL publishing taken place.
Moreover, the Delta CRL only box is grayed out, or you should not build it due to, there is no base CRL has previously been published or simply there are no changes in Revoked Certificates so that it can build that auxiliary list.
Because CRLs can become large, depending on the number of certificates issued and revoked by a CA, you can also publish smaller, interim CRLs called delta CRLs. Delta CRLs contain only the certificates revoked since the last regular CRL was published. This allows clients to retrieve the smaller delta CRL and more quickly build a complete list of revoked certificates.
[00:34] This process remains the same across Certificate Authority types: Enterprise/Standalone.
Let's switch to the subordinate CA WS 2008 R2.
[00:41] "CRL, Delta CRL and manual publishing in a simple environment" – inetworksteve.com
[00:44] Navigate through the Extensions with CRL Distribution Point (CDP) is selected of CA Properties.
[00:46] "Specify CRL Distribution Points" – technet.microsoft.com
[00:51] Make sure at least one CDP is configured with "Publish CRLs/Delta CRLs to this location."
[00:54] The delta CRLs are not written to the location as it is an HTTP location.
[00:56] "Unexpected DeltaCRL Location Seen" – social.technet.microsoft.com
With the LDAP CDP, you can utilize features that can boost availability, redundancy, reliability of our CRL publishing as mentioned in the previous episode:
– Include in all CRLs. Specifies where to publish in the Active Directory when publishing manually.
– Include in CRLs. Clients use this to find Delta CRL locations.
– Include in the CDP extension of issued certificates.
– Include in the IDP extension of issued CRLs.
Furthermore, LDAP is integrated with Active Directory.
[01:07] "How to Publish New Certificate Revocation List (CRL) from Offline Root CA to Active Directory and Inetpub" – itcalls.blogspot.com
[01:11] Now, let's publish a Base CRL then review it through the
http protocol by utilizing Internet Explorer.
[01:26] "Use recommended security and compatibility settings" for the Setup Internet Explorer 9 dialog firstly.
[01:35] "Designing CRL Distribution Points and Authority Information Access locations" – sysadmins.lv
[01:43] Firstly, take a look at Internet Information Services (IIS) Manager to see that an ASP app that was built during sCA+Web Enrollment setup.
A CertEnroll folder is where to access our CRLs.
[02:00] "Configure CRL and Delta CRL Overlap Periods" – technet.microsoft.com
[02:10] Basically, CertEnroll is an alias for C:\Windows\System32\certsrv\CertEnroll so that we can't find on .\inetpub\wwwroot
[02:22] Internet Explorer Enhanced Security Configuration is enabled, and we must add web server's address into the Trusted sites zone.
[02:29] "Certificate Revocation Checking in Windows Vista and Windows Server 2008" – technet.microsoft.com
[02:34] "Windows 2008 PKI / Certificate Authority (AD CS) basics" – corelan.be
[02:42] "Best Practices Rules and Baselines for Windows Server 2012 AD Certificate Authority" – taos.com
Be appended with a "+" sign at the end, we know it is a Delta CRL.
(You must configure IIS to allow DoubleEscaping in Request Filtering so that this file can be downloaded).
You can open this CRL to see: Version, Issuer, Effective date, Next update, Signature hash algorithm, Authority Key Identifier, CA Version, CRL Number, Next CRL Publish, Published CRL Locations, Delta CRL Indicator.
[02:58] "How to Examine any Certificate Revocation List in Windows with Certutil" – blogs.interfacett.com
How to Examine any Certificate Revocation List in Windows with Certutil
[03:01] We have not revoked any certificate yet, so the Revocation List is empty, otherwise, we can inspect Serial number, Revocation date, etc. of Revoked Certificates.
Well done, we just finished the last piece of foundation theories of Windows Server PKI with CDP/CRL.
It is one of the mechanisms to ensure the trustworthy of certificate subjects behind its successor OCSP.
A single CRL file with its related components to build from plays a big role in ensuring the integrity of whole PKI!
[03:09] "Public Key Infrastructure Part 8 – OCSP responder" – tech-coffee.net
Do not forget to follow my included links about best-practices, step-by-step guides, notes, etc.!
Keep track on my next series about "Configuring Active Directory Certificate Services Certificates" to see the real application of PKI in production: user issuance requests, auto enrollments, purposeful certificates, etc.