1. On DC1, click Start, Administrative Tools, and click Certification Authority.
2. In the details pane, right-click the name of the CA. For example, DC1-CA, then click Properties.
3. Click the Extensions tab.
4. On the Extensions tab, click Add. In Location, type http://crl.<the domainname>/crld/ For example,http://crl.dc1.contoso.com/crld/
5. In Variable name, click <CaName>, click Insert; click <CRLNameSuffix>, click Insert; click<DeltaCRLAllowed>, click Insert.
6. In Location, type .crl at the end of the Location string and then click OK.
7. Select Include in CRLs. Clients use this to find Delta CRL locations. And Include in the CDP extension of issued certificates, then click Apply. Click No in the dialog box asking you to restart the ADCS.
Configure the file share definition:
1. Click Add.
2. In Location, define the file server and share name. For example, type \\fs01\crldist$\ . (See Note above.)
Note: The file share definition above contains the special character ‘$’ that has the effect of making the file share invisible to simple browsing methods. If you know the name of the server and share, you can connect – given that you have the permissions. But browsing a list of computers and their shared resources will not list the share crldist. Not intended as a security mechanism, but more of a method to hide shares that are special purpose and not meant for users.
3. In Variable, click <CAName>, click Insert; In Variable, click <CRLNameSuffix>, click Insert; In Variable, click<DeltaCRLAllowed>, click Insert.
4. In Location, type .crl at the end of the Location string and then click OK.
5. Select Publish CRLs to this location and Publish Delta CRLs to this Location, then click Apply. Click Yes in the dialog box asking you to restart the ADCS.
6. Close the Certification Authority console.
Create a DNS record for crl.contoso.com
1. On your DNS Server, click Start, click Administrative Tools, click DNS.
2. In the DNS Manager console, expand your DNS server, expand Forward Lookup Zones. Right-click your domain name, and click New Host (A or AAAA).
3. In the New Host dialog, type crl in the Name (uses parent domain name if blank). In IP address, type the IP address of the CA server. Click Add Host. Click OK in the dialog noting that the record was created. Click Done in the New Host dialog box.
4. Close the DNS Manager console.
Configure the file server for HTTP CRL distribution
1. Install the IIS role on FS01. Accept at the least the defaults, and click Install.
2. Verify that the IIS installation was successful and then click Close.
3. To create the web-based CDP, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
4. In the console tree, navigate to FS01\Sites\Default Web Site. Right-click Default Web Site and click Add Virtual Directory.
5. In the Add Virtual Directory dialog box, in Alias, type CRLD. Next to Physical path, click the ellipsis “…” button.
6. In the Browse for Folder dialog box, click Local Disk (C:), and then click Make New Folder.
7. Type CRLDist, and then press ENTER. Click OK in the Browse for Folder dialog box.
8. Click OK in the Add Virtual Directory dialog box.
9. In the middle pane of the console, double-click Directory Browsing.
10. In the details pane, click Enable.
11. In the console tree, click the CRLD folder.
12. In the middle pane of the console, double-click the Configuration Editor icon.
13. Click the down-arrow for the Section drop-down list, and then navigate to system.webServer\security\requestFiltering.
14. In the middle pane of the console, double-click the allowDoubleEscaping entry to change the value fromFalse to True.
15. In the details pane, click Apply.
16. Close the Internet Information Services (IIS) Manager console.
Configure the file server for file share CRL publishing
1. On APP1, click Start, and then click Computer.
2. Double-click Local Disk (C:).
3. In the details pane of Windows Explorer, right-click the CRLDist folder and click Properties.
4. In the CRLDist Properties dialog box, click the Sharing tab, and then click Advanced Sharing.
5. In the Advanced Sharing dialog box, select Share this folder.
6. In Share name, add a “$” to the end so that the share name is CRLDist$. Recall that appending the $ hides the share from simple browsing.
7. In the Advanced Sharing dialog box, click Permissions.
8. In the Permissions for CRLDist$ dialog box, click Add. (See Note above.)
9. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
10. In the Object Types dialog box, select Computers, and then click OK.
11. In the Select Users, Computers, Service Accounts, or Groups dialog box, in Enter the object names to select, type DC1, and then click Check Names. Click OK.
12. In the Permissions for CRLDist$ dialog box, select DC1 (CONTOSO\DC1$) from the Group or user nameslist. In the Permissions for DC1 section, select Allow for Full control. Click OK.
13. In the Advanced Sharing dialog box, click OK.
14. In the CRLDist Properties dialog box, click the Security tab.
15. On the Security tab, click Edit.
16. In the Permissions for CRLDist dialog box, click Add.
17. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types.
18. In the Object Types dialog box, select Computers. Click OK.
19. In the Select Users, Computers, Service Accounts, or Groups dialog box, in Enter the object names to select, type DC1, and then click Check Names. Click OK.
20. In the Permissions for CRLDist dialog box, select DC1 (CONTOSO\DC1$) from the Group or user names list. In the Permissions for DC1 section, select Allow for Full control. Click OK.
21. Click Close in the CRLDist Properties dialog box.
22. Close the Windows Explorer window.
No comments:
Post a Comment