Where to Publish CRL Publication Points




Web Server






Publish the root CA certificate and CRL to:


Active Directory Web servers FTP servers File servers


Active Directory Web servers FTP servers File servers

illegal for non-trainer use


After you install a root CA, you need to configure two X.509 version 3 extension fields, known as the AIA and the CDP extensions. These extensions apply to all certificates that the root CA issues. These extensions define where client applications can find valid AIA and CDP information for the root CA.

Tip You do not have to populate the AIA extension; however, failure to do so will limit the functionality of the CryptoAPI and may cause a failure during the certificate chain-building process.

The formatting and publishing of AIA and CDP extension URLs are generally the same for root CAs, policy CAs, and issuing CAs. The difference between offline CAs and online CAs is that offline CAs require manual certificate and CRL publishing to a directory or Web server.

Note Publishing the AIAs and CDPs with multiple URLs will provide a level of fault tolerance.

Publication points To ensure accessibility to all computers in the forest, publish the offline root

CA certificate and the offline root CA's CRL to Active Directory by using the certutil command. This command places the root CA certificate and CRL in the configuration-naming context, which Active Directory replicates to all domain controllers in the forest. For example the following command will modify the CRL location to the Web server named www.cohovineyard.com.

certutil -setreg

CA\CRLPublicationURLs:http://www.cohovi neyard.com/CertData/%%3 %%8%%9.crl

Making certificates and If you have users that are not members of your organization but still need to CRLs available verify the CRL, you must decide how to make the CRL available to them externally externally.

To place the CA certificate and CRL on external Web servers, you can use LDAP, File Transfer Protocol (FTP), a location on a hard drive (referred to as a file), or Hypertext Transfer Protocol (HTTP). However, HTTP is the most widely used protocol for making CRLs available to external clients. The reasons for using HTTP include the following:

■ LDAP queries require all external clients be Active Directory capable.

■ External Active Directory clients need to have permissions to query Active Directory by using LDAP.

■ HTTP publication has no latency issues.

■ If you use LDAP, firewalls on the clients and servers need to be configured to allow Active Directory and FTP access. HTTP is generally open on firewalls.

Note You can also publish certificates and CRLs to FTP:// and FILE:// URLs, but it is recommended that you use only LDAP and HTTP URLs, because they are the most widely supported URL formats for interoperability purposes.

Was this article helpful?

0 0
Outsource Explosion

Outsource Explosion

There will come a day in your business (if it hasn't already arrived) when you realise that you only have two hands and 24 hours in a day. What I mean is you can't do everything that your business needs yourself. If you try to do everything yourself your business will at best grind to a halt, and at worst, GO UNDER. Take a look RIGHT NOW at the successful marketers around you - the millionaires, the gurus and the market leaders.

Get My Free Ebook


  • Frans
    What is the difference between the internal and external crl publication?
    7 years ago
  • omar
    How to publishe a crl for all domain workstations?
    7 years ago
  • JUAN
    How to publish crl manually?
    7 years ago
  • taylor
    How to public internal crl and aia to internet?
    7 years ago
  • deborah
    How to publish a CRL file to a LDAP server ?
    7 years ago
  • amaranth goldworthy
    How to manually publish a CRL file in LDAP directory ?
    7 years ago
  • torin stevenson
    Why does an internal CA need to talk to an externally facing CRL?
    1 year ago
  • Franziska Pfaff
    How to make crl external?
    1 year ago
  • mike
    How are ad crl accessed in the forest?
    1 year ago
  • yusef
    Can you install issusing ca and iis cdp aia on same server?
    11 months ago
  • leland
    How to publish publish the CRL.in issuingCA?
    10 months ago

Post a comment