Score:0

Domain Member Servers - Accessing Certificate Revocation List (CRL)

cn flag

In my environment I have a Enterprise Root CA installed on a domain controller and a separate domain controller configured as a Subordinate CA - I know this isn't recommended for security reasons but it's what I inherited.

The Certificate Enrollment Web Services and Online Responder services were not installed on either server, so no IIS services in place.

If I open a certificate I create - select the Details tab - and select CRL Distribution Points a URL is provided like the following: URL=ldap:///CN=,CN=,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint (ldap:///CN=,CN=,.....)

Here's my question - since there's no web services running for the clients to access a CRL using http/https, do clients get updated CRL information using the ldap string (query?) above? I'm trying to understand how clients grab new information about revoked/expired certificates when there's no URL to access a web browser. These servers are all members of the same domain.

Adding IIS to a domain controller isn't an option and deploying a separate VM to host CRL files most likely won't be approved do to the added cost of the VM and additional overheard.

Score:2
cn flag

do clients get updated CRL information using the ldap string (query?) above?

yes. Clients use URL defined in CDP extension of certificate to download the CRL. Microsoft CA and Windows clients support both, HTTP and LDAP URL schemes to download CRLs. Microsoft CA can publish CRLs to AD as well.

Keep in mind that only AD forest (no matter how many domains you have) members can utilize LDAP URLs in AD.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.