Creating a certificate revocation list (CRL) distribution point on the DirectAccess server
In
this section, we will configure a location on the DirectAccess server
to store the CRL for clients connecting to the server. We will make this
CRL web enabled by creating an IIS Web site on the DirectAccess server.
We will then configure the Certificate Authority to publish the CRL to
the DirectAccess server via a shared folder. To accomplish the above tasks, perform the following:
1. | Log on to the DirectAccess server (LABDA1) and create a new folder on the root of C: named CRL (see Figure 5).
|
2. | Add the Web server role by opening Server Manager.
|
3. | Then select the Roles node and click the Add Roles link in the middle pane.
|
4. | Click Next to begin the Add Roles Wizard.
|
5. | Select the Web Server (IIS) role as seen in Figure 6. Then click Next.
|
6. | On the Introduction page click Next.
|
7. | Accept the default role services and click Next.
|
8. | Verify settings on the Confirmation Page. Then click Install.
|
9. | When the installation is complete, click Close to close the Add Roles Wizard.
|
To create a Web site which will be used for web CRL distribution, perform the following:
1. | Open Server Manager and expand the Roles | Web Server (IIS) nodes.
|
2. | Select the newly added Internet Information Services (IIS) Manager node.
|
3. | In the middle pane, expand the Sites node to reveal the Default Website.
|
4. | Select the Default Website and then click the Basic Settings link in the right pane.
|
5. | Change the Physical path to point to the CRL folder that you previously created (see Figure 7). Then click OK.
|
6. | In the middle pane, double-click the Directory Browsing option. Then click the Enable link in the right actions pane as seen in Figure 8.
|
7. | Close Server Manager.
|
We
now need to share the CRL folder and give the Certificate Authority
permission to access it. Perform the following steps to set up the CRL
shared folder:
1. | Browse to the CRL folder you previously created at the root of C:\. Right-click the CRL folder and choose Properties.
|
2. | Select the Sharing tab and click the Advanced Sharing button as seen in Figure 9.
|
3. | Click the Share this folder checkbox in the Advanced Sharing window. Then click the Permissions button (see Figure 10).
|
4. | Click the Add button. Then click Object Types.
|
5. | From the Object Types window, select Computers as seen in Figure 11. Then click OK.
|
6. | Enter the name of the Certificate Authority computer and click OK.
|
7. | Allow the CA computer Full Control permissions. Then click OK.
|
8. | Click OK on the Advanced Sharing window and click Close on the Properties window.
|
You
now need to enable the server as a CRL distribution point and publish
the CRL to the distribution point. Perform the following to complete
these tasks:
1. | Log on to the Certificate Authority and Open Server Manager.
|
2. | Expand the nodes Roles | Active Directory Certificate Services.
|
3. | Right click the node representing the Certificate Authority, and select Properties (see Figure 12).
|
4. | Select the Extensions tab in the CA Properties window.
|
5. | Click Add to add a new CRL distribution point.
|
6. | Enter the URL you wish to use for the CRL located on the DirectAccess server.
|
7. | Select the variable <CAName> and click Insert.
|
8. | Select the variable <CRLNameSuffic> and click Insert.
|
9. | Select the variable <DeltaCRLAllowed> as seen in Figure 13. Then click Insert.
|
10. | Go to the end of the long URL string created in the Location field and enter a .crl at the end of the string. Then click OK.
|
11. | Select the options Include CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates.
|
12. | Click the Add button.
|
13. | In the Location text box, enter\\locationofDAServer\CRL\ (see Figure 14).
|
14. | Select the variable <CAName> and click Insert.
|
15. | Select the variable <CRLNameSuffix> and click Insert.
|
16. | Select the variable <DeltaCRLAllowed> and click Insert.
|
17. | Again add .crl to the end of the newly created location string as seen in Figure 15.
|
18. | Select the option Publish CRLs to this Location.
|
19. | Select the option Publish Delta CRLs to this Location (see Figure 16) and click OK.
|
20. | When prompted to restart Active Directory Certificate Services, click Yes.
|
21. | Expand the Certificate Authority node within Server Manager.
|
22. | Right click on the Revoked Certificates node and select All Tasks | Publish.
|
23. | Choose the option New CRL and click OK.
This will publish the full CRL to the path, making it accessible via
file share and the default Web site on the DirectAccess server. |
