النتائج 1 إلى 4 من 4

الموضوع: CRL distribution point

  1. #1
    عضو
    تاريخ التسجيل
    Nov 2011
    المشاركات
    50
    معدل تقييم المستوى
    0

    Question CRL distribution point



    السلام عليكم ...اولا كل عام و كل اعضاء المنتدى بخير بمناسبة الشهر الكريم و ندعو الله ان نحسن فية العمل و ان تنعكس سلوكيات هذه الشهر على بافى ايام السنة.
    انا عندى استفساار بسيط للاخوة الكرام اتمنى ان يفيدنى فية احد ...و هو انى بحاول اعمل offline root ca
    اولا نقلت crl من المسار الخاص بيها فى ca الى فولدر جديد فى سيرفر اخر و بعد ذلك عملت new virtul directory web page لهذا الفولدر .
    و فى الخطوة الاخير لتحديد ال http distribution point من ال ca لا اعرف ما هى القيمة المقابلة لل <CRLNameSuffix><DeltaCRLAllowed>
    اتمنى لمن يملك خلفية عن هذا الموضوع ان يفيدنا ...و تحياتى الى الجميع.

  2. #2
    عضو
    تاريخ التسجيل
    Nov 2011
    المشاركات
    50
    معدل تقييم المستوى
    0

    رد: CRL distribution point

    المشكلة اتحلت اخوتى الكرام ..و يبدوا ان هذه القيم تُكت كما هى .
    ان شاء الله سوف احاول شرح هذا التصميم و اعدادات ال CRL لعل و عسى حد يستفاد منها ...تحياتى الى الجميع.

  3. #3
    عضوية جديدة
    تاريخ التسجيل
    Jan 2009
    المشاركات
    9
    الدولة: Egypt
    معدل تقييم المستوى
    0

    رد: CRL distribution point

    عندي نفس المشكلة برجاء حلها

  4. #4
    عضو
    تاريخ التسجيل
    Nov 2011
    المشاركات
    50
    معدل تقييم المستوى
    0

    رد: CRL distribution point



    To configure a separate Web server to publish the CRL

    On the Web server, load Internet Information Services (IIS) Manager
    Create a new virtual directory (or new Web site) with the following information:
    Give it a name (alias) such as crl.
    Select the local folder that will contain the CRL files - for example, C:\CRL.
    Specify the directory access permissions of Read.

    To manually publish the CRL on a separate server


    On the CA server, load Certification Authority, expand your CA, right-click Revoked Certificates, click All Tasks, and then click Publish.
    On the Publish CRL popup dialog box, ensure that New CRL is selected, and then click OK.
    Using Explorer, locate the folder that contains the CRL files. By default, these files are in %windir%\system32\certsrv\enroll but this location can be changed on the Extensions tab of the CA properties.
    Copy all the files with a .crl extension to removable media.
    On the Web server computer, create a new local folder to contain the CRL (for example, C:\CRL).
    Paste the files with the .crl extensions into this folder.

    To automatically publish the CRL on a separate server

    Ensure that a trust relationship exists such that the Web Server trusts the CA Server.
    On the Web server computer, create a new local folder to contain the CRL files (for example, C:\CRL).
    Configure the folder with the following:
    Share the folder, for example, with the share name of CRL.
    Specify the share permissions of Read and Change to the CA server computer account.
    Specify NTFS permissions of Read and Write to the CA server computer account.
    On the CA server, load Certification Authority, right-click your CA, select Properties, and then click the Extensions tab.
    Ensure that CRL Distribution Point (CDP) is selected, and then click Add.
    In the Add Location dialog box, type the following and then click OK: file://\\<servername>\<share>\<CaName><CRLNameSuffix><Del taCRLAllowed>.crl For example, if your Web server was called server2 and the folder share name you created for the CRL was called CRL, you would type file://\\server2\CRL\<CaName><CRLNameSuffix><DeltaCRLAllo wed>.crl
    Ensure that only the following options are selected for this new entry:

    Publish CRLs to this location
    Publish Delta CRLs to this location
    If you are prompted to restart Active Directory Certificate Services, click Yes.
    After the computer has restarted, load Certification Authority, expand your CA, right-click Revoked Certificates, click All Tasks, and then click Publish.
    On the Publish CRL popup dialog box, ensure that New CRL is selected, and then click OK. If you do not see an error, check the folder on the Web server and confirm that it now contains one or more files with .crl extensions. If you do see an error, it is likely that there is a syntax error or permissions error that must be corrected before the CRL can be published to the separate Web server.

    To specify the separate Web server as a CDP

    On the CA server, load Certification Authority, right-click your CA, select Properties, and then click the Extensions tab.
    Ensure that CRL Distribution Point (CDP) is selected, and then click Add.
    In the Add Location dialog box, type the following and then click OK: http://<FQDN_of_Web_Server/<CRL_directory_name>/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl For example, if your Web server was called server2.contoso.com and the virtual directory you created in IIS was called CRL, you would type http:// server2.contoso.com/crl/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
    Ensure that the following options are selected for this new entry:
    Include in CRLs. Clients use this to find Delta CRL locations.
    Include in the CDP extension of issued certificates
    Click OK. If you are prompted to restart Active Directory Certificate Services, click Yes.
    To confirm CRL access

    From a computer on the same network as the separate Web server, load a browser and type in the same CRL path that you specified in step 3 for the procedure "To specify the CRL on a separate Web server". For example, if your Web server was called server2.contoso.com and the virtual directory you created in IIS was called crl, and your CA name was Contoso Root CA, you would type http:// server2.contoso.com/crl/contoso root ca.crl for the base CRL, and type http:// server2.contoso.com/crl/contoso root ca+.crl for the delta CRL.
    You should see a File Download dialog box, asking you whether you want to open or save this file. Click Open.
    You should now see the Certificate Revocation List with a General tab and Revocation List tab. On the General tab, the value for Issuer will be your CA server. On the Revocation List you will see any certificates that have been revoked by the CA.
    Click OK.

    To confirm new certificates contain new CDP

    Request and issue a new certificate after you have completed the procedure "To specify the CRL on a separate Web server".

    On the requesting computer, load the Certificates MMC and locate the newly installed certificate.
    Double-click the certificate to view its properties.
    Click the Details tab and click the field CRL Distribution Points.
    View the values in this field. There will be multiple CRL distribution points listed so scroll down until you see the HTTP CRL distribution point that you added (for example: URL=http://server2.contoso.com/crl/Contoso%20Root%
    التعديل الأخير تم بواسطة M@hmoud ; 21-07-2012 الساعة 12:34

المفضلات

ضوابط المشاركة

  • لا تستطيع إضافة مواضيع جديدة
  • لا تستطيع الرد على المواضيع
  • لا تستطيع إرفاق ملفات
  • لا تستطيع تعديل مشاركاتك
  •