|
Posted by Marlon Brown on January 23, 2007, 5:51 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I am following the steps outlined by the help files of "Certification
Authority", Windows 2003. I am setting up the Offline Root CA (Win2003 AD
environment).
My understanding is that since the Offline Root CA is going to be kept
offline (dahh, hence the name!), I should the change the URL location of the
certificate revocation list (CRL) distribution point to another location
(correct me if I am wrong).
My question is, can you shed some light on which variable I should change in
my case? Is it a good idea to 'indicate that you want to to use a URL as CRL
distribution point' ? In addition to the OfflineRootCAServer, I will have
(2) IssuingCA servers.
If I do not use the URL as a revocation distribution point, what are my
options?
To specify certificate revocation list distribution points in issued
certificates
1.. Log on to the system as a Certification Authority Administrator.
2.. Open Certification Authority.
3.. In the console tree, click the certification authority.
Where?
a.. Certification Authority (Computer)
b.. CA name
4.. On the Action menu, click Properties.
5.. On the Extensions tab, confirm that Select extension is set to CRL
Distribution Point (CDP).
6.. Do one or more of the following. (The list of CRL distribution points
is in the Specify locations from which users can obtain a certificate
revocation list (CRL) box.) To Do this
Add a new certificate revocation list (CRL) distribution point.
Click Add, type the name of the new CRL distribution point, and click OK.
Remove a CRL distribution point from the list. Click the CRL
distribution point, and then click Remove and click OK.
Indicate that you want to use a URL as a CRL distribution point.
Click the CRL distribution point, select the Include in the CDP extension of
issued certificates check box, and then click OK.
Indicate that you do not want to use a URL as a CRL distribution
point. Click the CRL distribution point, clear the Include in the CDP
extension of issued certificates check box, and then click OK.
Indicate that you want to use a URL as a delta CRL distribution
point. Click the CRL distribution point, select the Publish Delta CRLs to
this location check box, and then click OK.
Indicate that you do not want to use a URL as a delta CRL
distribution point. Click the CRL distribution point, clear the Publish
Delta CRLs to this location check box, and then click OK.
Indicate that you want to publish this location in CRLs to point
clients to a delta CRL. Click the CRL distribution point, select the Include
in CRLs. Clients use this to find Delta CRL locations. check box, and then
click OK.
Indicate that you do not want to publish this location in CRLs to
point clients to a Delta CRL. Click the CRL distribution point, clear the
Include in CRLs. Clients use this to find Delta CRL locations. check box,
and then click OK.
7.. Click Yes to stop and restart the Certificate Services service.
begin 666 shortcutCold.gif
M1TE&.#EA"0`)`*(``(AZA68)>\#<P+_4OH" @ ```````````"P`````"0`)
B```#'$@$W"HCR##>B+*2.ZG"E+=EEQ9=0OI%J:J\< (`.P``
`
end
begin 666 plusCold.gif
M1TE&.#EA"0`)`)$``/___\;#QH" @ ```"P`````"0`)`$ "%)2/B3'=88(<
.$HI*9:QULWY-(-<5`#L`
`
end
|
| Similar Threads | Posted | | Questions about CDP an AIA distribution points | July 11, 2006, 7:41 am |
| (2) Offline root CA or just (1) ? | January 22, 2007, 12:26 pm |
| Put offline a Root CA | June 26, 2007, 5:14 am |
| Looking for a good step-by-step on enabling EFS on all computers in a Windows domain | August 12, 2006, 9:00 pm |
| How to:specify my Win2003 will be the offline Root CA, CAPolicy.inf | January 23, 2007, 12:50 pm |
| Possible conflicting info:Help file states that Offline Root CA canot be member server of domain? | January 23, 2007, 5:27 pm |
| Easy question on PKI, 2 level hierarchy design | December 4, 2006, 12:13 pm |
| Newbie question - keylogger | July 6, 2005, 3:18 pm |
| newbie question on security | March 10, 2006, 6:25 am |
| Newbie Client Certificate Question | December 1, 2006, 2:22 pm |
|
XML site map