Specify CRL Distribution Points
Applies To: Windows Server 2008
You can add, remove, or modify certificate revocation list (CRL) distribution points in issued certificates by using the following procedure. However, modifying the URL for a CRL distribution point only affects newly issued certificates. Previously issued certificates will continue to reference the original location.
You must be a certification authority (CA) administrator to complete this procedure. For more information, see Implement Role-Based Administration.
To specify CRL distribution points in issued certificates
Open the Certification Authority snap-in.
In the console tree, click the name of the CA.
On the Action menu, click Properties, and then click the Extensions tab. Confirm that Select extension is set to CRL Distribution Point (CDP).
Do one or more of the following. (The list of CRL distribution points is in the Specify locations from which users can obtain a certificate revocation list (CRL) box.)
To add a new CRL distribution point
Click Add, type the name of the new CRL distribution point, and then click OK.
To remove a CRL distribution point from the list
Click the CRL distribution point, click Remove,and then click OK.
To indicate that you want to use a URL as a CRL distribution point
Click the CRL distribution point, select the Include in the CDP extension of issued certificates check box, and then click OK.
To indicate that you do not want to use a URL as a CRL distribution point
Click the CRL distribution point, clear the Include in the CDP extension of issued certificates check box, and then click OK.
To indicate that you want to use a URL as a delta CRL distribution point
Click the CRL distribution point, select the Publish Delta CRLs to this location check box, and then click OK.
To indicate that you do not want to use a URL as a delta CRL distribution point
Click the CRL distribution point, clear the Publish Delta CRLs to this location check box, and then click OK.
To indicate that you want to publish this location in CRLs to point clients to a delta CRL
Click the CRL distribution point, select the Include in CRLs. Clients use this to find Delta CRL locations check box, and then click OK.
To indicate that you do not want to publish this location in CRLs to point clients to a delta CRL
Click the CRL distribution point, clear the Include in CRLs. Clients use this to find Delta CRL locations check box, and then click OK.
Click Yes to stop and restart Active Directory Certificate Services (AD CS).
CRL URLs can be HTTP, FTP, LDAP, or FILE addresses. You can use the following variables when specifying the address of the CRL.
Variable | Value |
---|---|
CAName |
The name of the CA |
CAObjectClass |
The object class identifier for a CA, used when publishing to an LDAP URL |
CATruncatedName |
The "sanitized" name of the CA, truncated to 32 characters with a hash at the end |
CDPObjectClass |
The object class identifier for CRL distribution points, used when publishing to an LDAP URL |
CertificateName |
The renewal extension of the CA |
ConfigurationContainer |
The location of the Configuration container in Active Directory Domain Services (AD DS) |
CRLNameSuffix |
Inserts a name suffix at the end of the file name when publishing a CRL to a file or URL location |
DeltaCRLAllowed |
When a delta CRL is published, this replaces the CRLNameSuffix variable with a separate suffix to distinguish the delta CRL from the CRL |
ServerDNSName |
The DNS name of the CA server |
ServerShortName |
The NetBIOS name of the CA server |