From LedHed's Wiki
(Created page with "== Overview == CRL Distribution Point (CDP) must be published in a certificate to that the client can verify whether a certificate has been revoked. By default Active Director...") |
(No difference)
|
Revision as of 03:57, 25 September 2025
Overview
CRL Distribution Point (CDP) must be published in a certificate to that the client can verify whether a certificate has been revoked. By default Active Directory Certificate Services (ADCS) publishes these in LDAP and adds them to the CDP/AIA settings of the certificate template. This is less than ideal because not all devices on the network have access to query LDAP (at least they shouldn't if you have your LDAP to require authentication). The solution to this is to publish CDP/AIA information on a web/http server that all devices on the network can access.
Quick -n- Dirty
- Create DNS entries (pki.yourdomain.tld or crl.yourdomain.tld, etc...)
- Install IIS (not on the server hosting ADCS)
- Create a directory named (CRL, CDP, PKI, etc...)
- Share that directory (hide it with a trailing $, PKI$), granting the 'CertPublishers' AD group read/write access (this should grant the ADCS Root CA access to publish the CRL file)
- Create virtual directory pointing to the directory you just created (PKI)
- Add the following entries to the Certificate Template's CDP settings under the Extensions tab
file:\\pki.yourdomain.tld\CDP$\<CaName><CRLNameSuffix>.crl http://pki.yourdomain.tld/<CaName><CRLNameSuffix>.crl
- The file:// entry will cause the CA to publish the CRL to this path any time a new CRL is generated
- The http:// entry will tell the client where to find the CRL via the http protocol
- Add the following entry to the Certificate Template's AIA settings under the Extensions tab
http://pki.yourdomain.tld/<CaName><CRLNameSuffix>.crl
Reference
https://security.stackexchange.com/questions/206243/how-to-automate-publication-of-crl-and-crt-files-to-cdp-and-aia-location https://www.youtube.com/watch?v=U9gDL4GsJxs