Re: Can I publish a certificate to a network location
From: Vishal Agarwal[MSFT] (vishala@online.microsoft.com)
Date: 02/26/03
- Next message: pete anello: "help needed with password recovery"
- Previous message: Kevin: "Re: win2000 hacked."
- In reply to: Stewart tebay: "Can I publish a certificate to a network location"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Vishal Agarwal[MSFT]" <vishala@online.microsoft.com> Date: Wed, 26 Feb 2003 11:52:25 -0800
The CA has no code to support publishing CRLs to an http: or ftp: location.
The CA can only publish to ldap: or file: locations.
You should be able to set up a remote file: URL that uses a UNC file share
that points to file that can be fetched via a separate http: URL.
Remember that the CA machine's LocalSystem context must have write access to
the file and to the directory to create and delete temp files.
In the registry, the URL template should look like the following:
file://\\ServerDnsName\ServerShareName\directorypath\%3%8%9.crl
For Windows 2000, you will need to leave out the %9
%3 is replaced with the sanitized CA name. (%CA_NAME% or <CaName> in the
admin U/I)
%8 is replaced with the key index used by the CA (empty for the first key,
"(1)" for the second key, etc.) (%CRL_SUFFIX% or <CRLNameSuffix> in the
admin U/I)
%9 is replaced with a plus sign "+" for a delta CRL, and empty string for a
base CRL. (<DeltaCRLAllowed> in the admin U/I) -- Windows 2003 only.
I don't know what a 560 error is.
Hope this helps,
Vishal
-- This posting is provided "AS IS" with no warranties, and confers no rights "Stewart tebay" <stewart@tebay.net> wrote in message news:064e01c2dcea$e95c3f30$2f01280a@phx.gbl... > With the checkpoint problem of not being able to read from > LDAP, we want to publish the certificates to a http > location. > > Normally certificates are published to > http://%server_dns_name/certenroll/%ca_name%% > crl_suffix%.crl > > so, with iis being on the same box certs are available > from a http location. this works file. > > However i am trying to publish the certs on a different > server and so an attempting > http://otherserver_FQDN/certenroll/%ca_name%% > crl_suffix%.crl > but this fails out with a error 560 in eventvwr. > i can browse to the web page and add / delete files from > http through the browser, but when installing a cert, it > does NOT place in the new http share. > > Now i tried to see if the cert would install on the local > machine in a different share c:\cert - shared as cert. > With file://\\server_fqdn\cert > i can install the cert into this successfully. > However if i try to send it to another server shaer > file://\\other_server_fqdn\cert > this fails again with a 560 error. > > It is by design that i cannot publish a cert to another > server, be it http or file ?, or i am missing something ? > > Thanks in advance. > > Stewart
- Next message: pete anello: "help needed with password recovery"
- Previous message: Kevin: "Re: win2000 hacked."
- In reply to: Stewart tebay: "Can I publish a certificate to a network location"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
