Unexpected DeltaCRL Location Seen

-

i installed root , issuing ca, specifying http locations crls. however, when @ issuing ca, see published deltacrl location #1 ldap. did not expect trying have http locations. below script used issuing ca post installation. normal or need specify else in config file below?

::issuing ca post installation script
 
::define crl publication intervals
certutil -setreg ca\crlperiodunits 2
certutil -setreg ca\crlperiod "days"
certutil -setreg ca\crloverlapunits 4
certutil -setreg ca\crloverlapperiod "hours"
certutil -setreg ca\crldeltaperiodunits 12
certutil -setreg ca\crldeltaperiod "hours"
 
::apply required cdp extension urls
certutil -setreg ca\crlpublicationurls "65:%windir%\system32\certsrv\certenroll\%%3%%8%%9.crl\n6:http://pki.domain.com/certenroll/%%3%%8%%9.crl"
 
::apply required aia extension urls
certutil -setreg ca\cacertpublicationurls "1:%windir%\system32\certsrv\certenroll\%%1_%%3%%4.crt\n2:http://pki.domain.com/certenroll/%%1_%%3%%4.crt\n32:http://ocsp.domain.com/ocsp"
 
::enable auditing events issuing ca
certutil -setreg ca\auditfilter 127
 
::set maximum validity period issued certificates
certutil -setreg ca\validityperiodunits 2
certutil -setreg ca\validityperiod "years"
 
::restart certificate services
net stop certsvc & net start certsvc

mcitp exchange 2010 | mcts exchange 2007 | mcitp lync server 2010 | mcts windows 2008 | mcse 2003

no there not. delta crls not written location http location.

the 6 indicates 2 indicates included in cdp of issued certificates , 4 indicates included in freshest crl extension of base crls.

to publish web server, need 1 of 2 methods:

1) scheduled task publishes new base crl/delta crl certenroll folder, waits, , uses copy protocol copy web server. copy protocol can used. have used ftp s/ftp rcp scp, copy, xcopy, , robocopy depending on environment. separate delta crl scheduled task required delta crl intervals

2) add file://\\webservername\sharename\%3%8%9.crl url , have value of 65 (so publishes base , delta crls location

this requires smb/cifs access used copy , ca computer account has read write access share , ntfs read/write/modify permissions

your choice

brian



Windows Server  >  Security



Comments

Post a Comment

Popular posts from this blog

Azure MFA with Azure AD and RDS

-
i have setup following lab in azure , need help. a server (domain controller) , remote desktop services. and server multi factor authentication server. i have setup following one http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/ and when im connecting got following error. the user "domain\username", on client computer "xxx.xxx.xxx.xxx", did not meet connection authorization policy requirements , therefore not authorized access rd gateway server. authentication method used was: "ntlm" , connection protocol used: "rpc-http". following error occurred: "23003". also on security log i've got following authentication details: connection request policy name: ts gateway authorization policy network policy name: - authentication provider: radius proxy authentication server: test.test.local authenticati...
Read more

WIMMount (HSM) causing cluster storage to go redirected (2012r2 DC)

-
looking options resolve error , prevent in future. thanks help. hardware: 2 node dell hv cluster running2012r2 dc 8 nic/ea in multiplex mode 4x hyper-v 4x hosts storage: 2x synology nas, accessed through iscsi hosts , cluster relevant logs: log name:      microsoft-windows-failoverclustering/diagnostic source:        microsoft-windows-failoverclustering date:          event id:      2050 task category: none level:         warning keywords:       user:          system computer:      l description: [dcm] filter wimmount found @ unsafe altitude 180700 log name:      system source:        microsoft-windows-failoverclustering ...
Read more

Failed to delete the test record dcdiag-test-record in zone test.com

-
ps c:\users\administrator.test> dcdiag /test:dns directory server diagnosis performing initial setup:    trying find home server...    home server = dc02    * identified ad forest.    done gathering initial info. doing initial required tests    testing server: default-first-site-name\dc02       starting test: connectivity          ......................... dc02 passed test connectivity doing primary tests    testing server: default-first-site-name\dc02       starting test: dns          dns tests running , not hung. please wait few minutes...          ......................... dc02 passed test dns    running partition tests on : forestdnszones    running partition tests on : domaindnszones    running partition tests on : schema ...
Read more