Re: Can I publish a certificate to a network location

From: Vishal Agarwal[MSFT] (vishala@online.microsoft.com)
Date: 02/26/03 

From: "Vishal Agarwal[MSFT]" <vishala@online.microsoft.com>
Date: Wed, 26 Feb 2003 11:52:25 -0800

The CA has no code to support publishing CRLs to an http: or ftp: location.
The CA can only publish to ldap: or file: locations.
You should be able to set up a remote file: URL that uses a UNC file share
that points to file that can be fetched via a separate http: URL.
Remember that the CA machine's LocalSystem context must have write access to
the file and to the directory to create and delete temp files.
In the registry, the URL template should look like the following:
file://\\ServerDnsName\ServerShareName\directorypath\%3%8%9.crl
For Windows 2000, you will need to leave out the %9
%3 is replaced with the sanitized CA name. (%CA_NAME% or <CaName> in the
admin U/I)
%8 is replaced with the key index used by the CA (empty for the first key,
"(1)" for the second key, etc.) (%CRL_SUFFIX% or <CRLNameSuffix> in the
admin U/I)
%9 is replaced with a plus sign "+" for a delta CRL, and empty string for a
base CRL. (<DeltaCRLAllowed> in the admin U/I) -- Windows 2003 only.

I don't know what a 560 error is.

Hope this helps,
Vishal 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights
"Stewart tebay" <stewart@tebay.net> wrote in message
news:064e01c2dcea$e95c3f30$2f01280a@phx.gbl...
> With the checkpoint problem of not being able to read from
> LDAP, we want to publish the certificates to a http
> location.
>
> Normally certificates are published to
> http://%server_dns_name/certenroll/%ca_name%%
> crl_suffix%.crl
>
> so, with iis being on the same box certs are available
> from a http location.  this works file.
>
> However i am trying to publish the certs on a different
> server and so an attempting
> http://otherserver_FQDN/certenroll/%ca_name%%
> crl_suffix%.crl
> but this fails out with a error 560 in eventvwr.
> i can browse to the web page and add / delete files from
> http through the browser, but when installing a cert, it
> does NOT place in the new http share.
>
> Now i tried to see if the cert would install on the local
> machine in a different share c:\cert - shared as cert.
> With file://\\server_fqdn\cert
> i can install the cert into this successfully.
> However if i try to send it to another server shaer
> file://\\other_server_fqdn\cert
> this fails again with a 560 error.
>
> It is by design that i cannot publish a cert to another
> server, be it http or file ?, or i am missing something ?
>
> Thanks in advance.
>
> Stewart

Relevant Pages

  • Re: ibm jsse ssl and client authentication
    ... already made the connection and successfully sent your HTTP Request. ... That might mean that some other required authentication has failed. ... 403 response if I dont' have the cert installed in my broswer. ...
    (comp.lang.java.programmer)
  • Re: retrive crl via http doesnt work
    ... i would like to use the http protocol because is more usefull tha ldap. ... Ok, the first cdp is ldap, but i can block it from the firewall, then it ... But at this moment this workaround doesn't work because if client fail ldap ... with a lot of client if all client must download the CRL from the CA ...
    (microsoft.public.windows.server.security)
  • Re: Open Ports required for RFC over HTTP
    ... If you're getting an invalid cert error when you http to the url, ... I asked them what ports they block, ... > tcp 135 ...
    (microsoft.public.exchange.setup)
  • Can I publish a certificate to a network location
    ... we want to publish the certificates to a http ... Normally certificates are published to ... Now i tried to see if the cert would install on the local ...
    (microsoft.public.win2000.security)
  • [Full-Disclosure] [ GLSA 200502-04 ] Squid: Multiple vulnerabilities
    ... Squid contains vulnerabilities in the code handling WCCP, HTTP and LDAP ...
    (Full-Disclosure)