PKI : Publishing CRL to an IIS Website Automatically
This article covers the required steps for configuring an Issuing CA to publish its CRL automatically to an IIS Website that is accessible externally.
1. Deploy an IIS Web Server to host the AIA and CDP;
a. Create a file share ‘PKI’ with Modify Permissions for “Cert Publishers” and the AD DS Computer accounts of the Issuing CA’s deployed in step 3.
b. Create a new Website in IIS, use the PKI share created above as the home directory. Use port 80 and a host header to differentiate the site.
c. Via IIS Manager ‘Allow Double Escaping’ under the web site > Request Filtering > Edit Feature Settings (in action pane).
d. Ideally, publish this website using TMG/ISA Server.
2. Next deploy the issuing CA (if you already have then skip this step); this is the front-line of your PKI. When deploying a CA I’d suggest the following as good practice:
a. Don’t forget to use the CAPolicy.inf file. This should be created in advance of installing the AD CS role. This will reduce the impact of deployment in any production environment, especially the “LoadDefaultTemplates=False” option which will ensure the CA cannot issue any certificates until you configure it to do so. An example CAPolicy.inf file is below:
[Version] Signature="$Windows NT$" [certsrv_server] RenewalKey length =2048 RenewalValidityPeriodUnits=6 RenewalValidityPeriod=years LoadDefaultTemplates=False CRLPeriodUnits=3 CRLPeriod=days CRLDeltaPeriodUnits=12 CRLDeltaPeriod=hours CRLOverlapPeriod=Hours CRLOverlapUnits=8 CRLDeltaOverlapPeriod=Hours CRLDeltaOverlapUnits=8 [PolicyStatementExtension] Policies = AllIssuancePolicy Critical = FALSE [AllIssuancePolicy] OID = 126.96.36.199.0
3. Configure CDP / AIA settings on the new CA:
a. CDP; Remove http and file locations already listed and then add the following MANUALLY (do not copy paste!):
· file://\\ <IIS server>\PKI\cdp\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
· File point s should be set to ONLY: Publish CRL’s to this location, Publish Delta CRL’s to this location
· HTTP point should be set to ONLY: Include in CRLs, Include in the CDP extension of issued certificate
· LDAP point should be set for all other than IDP
b. AIA; Remove http and file locations already listed and then add the following MANUALLY (do not copy paste!):
· http://<external DNS name>/aia/<ServerDNSName>_<CaName><CertificateName>.crt
· File point should be set to NOT include in AIA extension
· HTTP point should be set to include in AIA
· LDAP point should be set to include in AIA
You’ll need to manually copy the CRT file across from C:\Windows\system32\certsrv\CertEnroll. Make sure you do this every time the certificate is renewed.