How to publish the CRL on a web server (Manually and Automatically)

book

Article ID: 158085

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

How to publish the CRL on a web server (Manually and Automatically)

Resolution

 

To manually publish the CRL on a web server
1.        On the CA server, load Certification Authority, expand your CA, right-click Revoked Certificates, click All Tasks, and then click Publish.
2.        On the Publish CRL popup dialog box, ensure that New CRL is selected, and then click OK.
3.        Using Explorer, locate the folder that contains the CRL files. By default, these files are in %windir%\system32\certsrv\enroll but this location can be changed on the Extensions tab of the CA properties.
4.        Copy all the files with a .crl extension to removable media.
5.        On the Web server computer, create a new local folder to contain the CRL (for example, C:\CRL).
6.        Paste the files with the .crl extensions into this folder.
 
To automatically publish the CRL on a web server
1.        Ensure that a trust relationship exists such that the Web Server trusts the CA Server.
2.        On the Web server computer, create a new local folder to contain the CRL files (for example, C:\CRL).
3.        Configure the folder with the following:
o    Share the folder, for example, with the share name of CRL.
o    Specify the share permissions of Read and Change to the CA server computer account.
o    Specify NTFS permissions of Read and Write to the CA server computer account.
4.        On the CA server, load Certification Authority, right-click your CA, select Properties, and then click the Extensions tab.
5.        Ensure that CRL Distribution Point (CDP) is selected, and then click Add.
6.        In the Add Location dialog box, type the following and then click OK: file://\\<servername>\<share>\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl  For example, if your Web server was called server2 and the folder share name you created for the CRL was called CRL, you would type file://\\server2\CRL\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
7.        Ensure that only the following options are selected for this new entry:
o    Publish CRLs to this location
o    Publish Delta CRLs to this location
8.        If you are prompted to restart Active Directory Certificate Services, click Yes.
9.        After the computer has restarted, load Certification Authority, expand your CA, right-click Revoked Certificates, click All Tasks, and then click Publish.

On the Publish CRL popup dialog box, ensure that New CRL is selected, and then click OK.  If you do not see an error, check the folder on the Web server and confirm that it now contains one or more files with .crl extensions.  If you do see an error, it is likely that there is a syntax error or permissions error that must be corrected before the CRL can be published to the separate Web server.


Applies To

Web server

Symantec Encryption Server

MS Root CA