Re: MS CA service and publish CRL and AIA

From: Vishal Agarwal[MSFT] (vishala_at_online.microsoft.com)
Date: 06/11/03 

Date: Wed, 11 Jun 2003 09:44:39 -0700

To have the windows 2000 CA automatically publish CRLs to another location,
you will need to add a full local path or a UNC path to the following
REG_MULTI_SZ registry value:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<
CAName>\CRLPath

The default is something like
C:\Windows\System32\CertSrv\CertEnroll\%3%8.crl

There is no equivalent for publishing CA certs, but that should only be
necessary after the initial install and after each CA cert renewal.

Thanks,

Vishal[MSFT] 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights
"stefan hammar" <stha_vilan@hotmail.com> wrote in message
news:0b3d01c32f46$dadc9050$a301280a@phx.gbl...
> Hi Vishal
>
> We have a windows 2000 AD server with CA, not a
> windows 2003 server.
>
> IE hangs on windows xp sp1 specification:
> RIS installation: Eng. Windows xp sp1 with swedish MUI
> Added after the RIS installation: Office XP sp2 with
> swedish MLP
>
> Thanks,
> Stefan Hammar
>
>
>
> >-----Original Message-----
> >You need to add a file share (pointing to the virtual
> root directory on the
> >servers) as a CDP and AIA extension and check the box
> for publishing the CRL
> >to the location (don't check  the boxes for including
> the link in issued
> >certificate and CRL's). Add another http CDP and AIA
> location while only
> >checking the boxes to include the link in issued
> certificate and CRL's).
> >
> >Can you provide us the repro steps for IE hang on XP SP1?
> >
> >Thanks,
> >Vishal [MSFT]
> >
> >-- 
> >This posting is provided "AS IS" with no warranties, and
> confers no rights
> >"stefan hammar" <stha_vilan@hotmail.com> wrote in message
> >news:100101c32b6b$0d684c60$a501280a@phx.gbl...
> >> Hi Vishal
> >> 1. On the CAserver (internal server, not published by
> ISA
> >> to the Internet)
> >> - Certification Authority
> >> - Root CA and properties
> >> - Policy module, configure, x509 extension
> >> - Add CDP,  Mail.skogforsk.se/sfca/sfrootca.crl
> >> - Add AIA , mail.skogforsk.se/sfca/sfrootca.crt
> >> - Restart CA
> >> - Publish revoked certificates
> >> 2. On the mail.skogforsk.se server (external server,
> >> published by ISA server)
> >> - An IIS virtual folder sfca
> >> - NTFS security
> >>   Administrators and system, full control
> >>   Internet guest account, read and execute
> >>   CAserver$, modify
> >> - IIS Virtual dir.
> >>   Read, write, dir. browsing, log
> >> 3. On the ISA server
> >> - Web publish mail.skogforsk.se/sfca
> >>
> >> The problem is that the sfca folder is not updated with
> >> files from the CAserver CA-service.
> >>
> >> How can I verify that an external IE client with a
> >> Skogforsk certificate can see the published CRL and
> AIA?
> >>
> >> And generally, we have a BIG problem with Windows XP
> sp1 IE
> >> IE hangs the desktop! Sites with SSL, java and ActiveX
> are
> >> candidates ... w2k clients have no problems with the
> same
> >> sites!
> >>
> >> Thanks, from a sunny Sweden
> >> Stefan
> >>
> >>
> >>
> >>
> >>
> >>
> >> >-----Original Message-----
> >> >I havn't looked at the KB article, could you please
> >> explain what steps you
> >> >did to publish the CRL and AIA files to the new
> location?
> >> >
> >> >If revocation information is not available for a CA,
> then
> >> the certificate
> >> >issued by that CA will not be trusted (if the
> application
> >> is checking the
> >> >revocation status). I havn't heard of any case where
> IE6
> >> hangs.
> >> >
> >> >Thanks,
> >> >Vishal [MSFT]
> >> >
> >> >-- 
> >> >This posting is provided "AS IS" with no warranties,
> and
> >> confers no rights
> >> >"Stefan Hammar" <stha_vilan@hotmail.com> wrote in
> message
> >> >news:0fdf01c32a75$b9211880$a101280a@phx.gbl...
> >> >> Hi experts
> >> >> I'm trying to publish CRL and AIA to Internet.
> >> >> Used MS KB318707 and 23161 to change the location
> of the
> >> >> CRL and AIA files. The new location is a new virtual
> >> >> directory on another IIS server (Web published by
> ISA
> >> >> server to the Internet).
> >> >> But
> >> >> The problem is that the new location is not updated
> with
> >> >> CRL and AIA files?
> >> >> - CA is restarted
> >> >> - I have published the revocation list manually
> >> >> - Windows 2000 server with sp3
> >> >>
> >> >> IS it true that if the revocation list is not
> published
> >> >> for a CA the IE 6 on windows XP sp1 will hang the
> >> >> computer ...?
> >> >>
> >> >> I'm a technet plus user but many of my posting are
> not
> >> >> answered?
> >> >>
> >> >> Thanks Stefan
> >> >>
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >

Relevant Pages

  • Questions about new PKI infrastructure
    ... I'm about to implement a PKI infrastructure in my company, ... Certificate key length: 4.096 bits ... CRL and AIA publication order: ...
    (microsoft.public.windows.server.general)
  • RE: Questions about new PKI infrastructure
    ... Root CA: ... Certificate key length: 4.096 bits ... CRL and AIA publication order: ...
    (microsoft.public.windows.server.general)
  • Re: Problem with smart card login
    ... > and password if the smart card logon is not available. ... > If you do not want a user to logon with a particular certificate, ... For Windows 2000 it may ... > computer does cache the CRL. ...
    (microsoft.public.win2000.security)
  • Re: Offline Root Certificate Server and subordinate CA
    ... the application will look for the CRL or CA certificate if it needs it. ... > It appears that I did not correctly set up my CRL and AIA publication ... > I deployed my enterprise offline root and subordinate CA with these ...
    (microsoft.public.win2000.security)
  • invalid field "CRL Distribution Point"
    ... smart card. ... When I check the cert I can see that the CRL Distribution Point ... When I check this certificate in a windows ...
    (microsoft.public.security)