السلام عليكم ...اولا كل عام و كل اعضاء المنتدى بخير بمناسبة الشهر الكريم و ندعو الله ان نحسن فية العمل و ان تنعكس سلوكيات هذه الشهر على بافى ايام السنة.
انا عندى استفساار بسيط للاخوة الكرام اتمنى ان يفيدنى فية احد ...و هو انى بحاول اعمل offline root ca
اولا نقلت crl من المسار الخاص بيها فى ca الى فولدر جديد فى سيرفر اخر و بعد ذلك عملت new virtul directory web page لهذا الفولدر .
و فى الخطوة الاخير لتحديد ال http distribution point من ال ca لا اعرف ما هى القيمة المقابلة لل <CRLNameSuffix><DeltaCRLAllowed>
اتمنى لمن يملك خلفية عن هذا الموضوع ان يفيدنا ...و تحياتى الى الجميع.
المشكلة اتحلت اخوتى الكرام ..و يبدوا ان هذه القيم تُكت كما هى .
ان شاء الله سوف احاول شرح هذا التصميم و اعدادات ال CRL لعل و عسى حد يستفاد منها ...تحياتى الى الجميع.
To configure a separate Web server to publish the CRL
On the Web server, load Internet Information Services (IIS) Manager
Create a new virtual directory (or new Web site) with the following information:
Give it a name (alias) such as crl.
Select the local folder that will contain the CRL files - for example, C:\CRL.
Specify the directory access permissions of Read.
To manually publish the CRL on a separate server
On the CA server, load Certification Authority, expand your CA, right-click Revoked Certificates, click All Tasks, and then click Publish.
On the Publish CRL popup dialog box, ensure that New CRL is selected, and then click OK.
Using Explorer, locate the folder that contains the CRL files. By default, these files are in %windir%\system32\certsrv\enroll but this location can be changed on the Extensions tab of the CA properties.
Copy all the files with a .crl extension to removable media.
On the Web server computer, create a new local folder to contain the CRL (for example, C:\CRL).
Paste the files with the .crl extensions into this folder.
To automatically publish the CRL on a separate server
Ensure that a trust relationship exists such that the Web Server trusts the CA Server.
On the Web server computer, create a new local folder to contain the CRL files (for example, C:\CRL).
Configure the folder with the following:
Share the folder, for example, with the share name of CRL.
Specify the share permissions of Read and Change to the CA server computer account.
Specify NTFS permissions of Read and Write to the CA server computer account.
On the CA server, load Certification Authority, right-click your CA, select Properties, and then click the Extensions tab.
Ensure that CRL Distribution Point (CDP) is selected, and then click Add.
In the Add Location dialog box, type the following and then click OK: file://\\<servername>\<share>\<CaName><CRLNameSuffix><Del taCRLAllowed>.crl For example, if your Web server was called server2 and the folder share name you created for the CRL was called CRL, you would type file://\\server2\CRL\<CaName><CRLNameSuffix><DeltaCRLAllo wed>.crl
Ensure that only the following options are selected for this new entry:
Publish CRLs to this location Publish Delta CRLs to this location
If you are prompted to restart Active Directory Certificate Services, click Yes.
After the computer has restarted, load Certification Authority, expand your CA, right-click Revoked Certificates, click All Tasks, and then click Publish.
On the Publish CRL popup dialog box, ensure that New CRL is selected, and then click OK. If you do not see an error, check the folder on the Web server and confirm that it now contains one or more files with .crl extensions. If you do see an error, it is likely that there is a syntax error or permissions error that must be corrected before the CRL can be published to the separate Web server.
To specify the separate Web server as a CDP
On the CA server, load Certification Authority, right-click your CA, select Properties, and then click the Extensions tab.
Ensure that CRL Distribution Point (CDP) is selected, and then click Add.
In the Add Location dialog box, type the following and then click OK: https://<FQDN_of_Web_Server/<CRL_directory_name>/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crlFor example, if your Web server was called server2.contoso.com and the virtual directory you created in IIS was called CRL, you would type https:// server2.contoso.com/crl/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
Ensure that the following options are selected for this new entry: Include in CRLs. Clients use this to find Delta CRL locations. Include in the CDP extension of issued certificates
Click OK. If you are prompted to restart Active Directory Certificate Services, click Yes. To confirm CRL access
From a computer on the same network as the separate Web server, load a browser and type in the same CRL path that you specified in step 3 for the procedure "To specify the CRL on a separate Web server". For example, if your Web server was called server2.contoso.com and the virtual directory you created in IIS was called crl, and your CA name was Contoso Root CA, you would type https:// server2.contoso.com/crl/contoso root ca.crl for the base CRL, and type https:// server2.contoso.com/crl/contoso root ca+.crl for the delta CRL.
You should see a File Download dialog box, asking you whether you want to open or save this file. Click Open.
You should now see the Certificate Revocation List with a General tab and Revocation List tab. On the General tab, the value for Issuer will be your CA server. On the Revocation List you will see any certificates that have been revoked by the CA.
Click OK.
To confirm new certificates contain new CDP
Request and issue a new certificate after you have completed the procedure "To specify the CRL on a separate Web server".
On the requesting computer, load the Certificates MMC and locate the newly installed certificate.
Double-click the certificate to view its properties.
Click the Details tab and click the field CRL Distribution Points.
View the values in this field. There will be multiple CRL distribution points listed so scroll down until you see the HTTP CRL distribution point that you added (for example: URL=https://server2.contoso.com/crl/Contoso%20Root%
رد مع اقتباس
CRL distribution point
ضوابط المشاركة
المفضلات