|
Posted by =?Utf-8?B?Ym9vc3Rlcg==?= on August 9, 2007, 2:58 am
If you were Registered and logged in, you could reply and use other advanced thread options
Thank you very much !
So i was right ;-)
Stephan
--
~~~~~~~~~~~~~~~~~~~~
..is an MCSE 2003 and MCDBA
~~~~~~~~~~~~~~~~~~~~
"Brian Komar" wrote:
> I have always done it with a scheduled tasks
>
> Base CRL:
>
> certutil -crl
> sleep 5
> Copy %windir%\system32\certsrv\certenroll\*.cr? \targetserver\share
>
> Delta CRL:
>
> certutil -crl delta
> sleep 5
> Copy %windir%\system32\certsrv\certenroll\*.cr? \targetserver\share
>
> Here are the caveats:
> 1) The account that runs the scheduled tasks must be
> - Assigned the Manage CA permission at the CA (allows publication of a new
> CRL
> - Be assigned write permissions to the share on the target server
> - Be assigned Read and Modify NTFS permissions
>
> 2) You can use *any* transfer protocol. We have used SSH, RCP, SCP, FTP,
> Robocopy, Xcopy, Copy for the transfer line. You just need to set it up to
> meet the security requirements of your org. It does not have to be copied to
> a windows server.
>
> 3) Set the scheduled task to execute at your required CRL publication
> interval.
>
> Brian
>
> > Thank you Jon,
> > that's what i suspected.
> > Of course, the CRL of the offline RootCA has to be published manually. We
> > will do this every 180 days.
> >
> > Anyway, the CRL of the online issuing CA is published every 12 hours, and
> > this publishing works fine for LDAP publishing.
> > And i think, the publishing of the "public" http adress has to be done
> > with
> > a scheduled script...
> >
> > Other inputs out there ?
> >
> > booster
> > ~~~~~~~~~~~~~~~~~~~~
> > ..is an MCSE 2003 and MCDBA
> > ~~~~~~~~~~~~~~~~~~~~
> >
> >
> >
> > "Jon Holvoet" wrote:
> >
> >> If I am not mistaken, you are indeed obligated to manually publish it. I
> >> am
> >> not aware of an automated manner with an offline root, so pleace correct
> >> me
> >> when I'm wrong. You can however, always automate it yourself with
> >> scripting
> >> if the machine is still physically connected to the LAN, but with the
> >> certificate services stopped, or even powered down, but of course this
> >> lowers the level of trust for your CA compared with a fully offline and
> >> possibly vaulted offline root CA.
> >>
> >> In order to update the CRL you can indeed copy the CRL from
> >> \%windir%\system32\CertSrv\CertEnroll\CAname.crl to your distribution
> >> points. It is best to make this a recurring task, and to include this in
> >> your Certificate Practice Statement.
> >>
> >> --
> >>
> >> Jon Holvoet
> >> MCSA / MCSE Security
> >> Comptia Security+
> >> CISSP
> >>
> >>
> >> > Hello
> >> >
> >> > Just installed a 2 tier PKI with Offline Root CA and 1 online issuing
> >> > CA
> >> > with the WebComponents.
> >> >
> >> > Everything works, PKI View ist all Green.
> >> >
> >> > But, what if a new CRL is published ? LDAP publishing works, the new
> >> > CRL
> >> > is
> >> > published.
> >> > The http location is not updated, it's a manually created directory and
> >> > available on the IIS as virtual directory. the *.crl's are not updated
> >> > there,
> >> > do i have to copy the new published crls from
> >> > c:\windows\system32\certsrv\certenroll ???
> >> >
> >> > Or did i miss something ?
> >> >
> >> > Regards.
> >> >
> >> > booster
> >> > --
> >> > ~~~~~~~~~~~~~~~~~~~~
> >> > ..is an MCSE 2003 and MCDBA
> >> > ~~~~~~~~~~~~~~~~~~~~
> >> >
> >>
> >>
> >>
>
>
| 
XML site map