In my environment I have a Enterprise Root CA installed on a domain controller and a separate domain controller configured as a Subordinate CA - I know this isn't recommended for security reasons but it's what I inherited.
The Certificate Enrollment Web Services and Online Responder services were not installed on either server, so no IIS services in place.
If I open a certificate I create - select the Details tab - and select CRL Distribution Points a URL is provided like the following:
URL=ldap:///CN=,CN=,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint (ldap:///CN=,CN=,.....)
Here's my question - since there's no web services running for the clients to access a CRL using http/https, do clients get updated CRL information using the ldap string (query?) above? I'm trying to understand how clients grab new information about revoked/expired certificates when there's no URL to access a web browser. These servers are all members of the same domain.
Adding IIS to a domain controller isn't an option and deploying a separate VM to host CRL files most likely won't be approved do to the added cost of the VM and additional overheard.
