Udostępnij za pośrednictwem


Specify certificate revocation list distribution points in issued certificates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can add, remove, or modify certificate revocation list distribution points (CDPs) in issued certificates by using the following procedure. However, modifying the URL for a CDP only affects newly issued certificates. Previously issued certificates will continue to reference the original location.

To specify certificate revocation list distribution points in issued certificates

  1. Log on to the system as a Certification Authority Administrator.

  2. Open Certification Authority.

  3. In the console tree, click the certification authority.

    Where?

    • Certification Authority (Computer)/CA name
  4. On the Action menu, click Properties.

  5. On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP).

  6. Do one or more of the following. (The list of CRL distribution points is in the Specify locations from which users can obtain a certificate revocation list (CRL) box.)

    To Do this

    Add a new certificate revocation list (CRL) distribution point.

    Click Add, type the name of the new CRL distribution point, and click OK.

    Remove a CRL distribution point from the list.

    Click the CRL distribution point, and then click Remove and click OK.

    Indicate that you want to use a URL as a CRL distribution point.

    Click the CRL distribution point, select the Include in the CDP extension of issued certificates check box, and then click OK.

    Indicate that you do not want to use a URL as a CRL distribution point.

    Click the CRL distribution point, clear the Include in the CDP extension of issued certificates check box, and then click OK.

    Indicate that you want to use a URL as a delta CRL distribution point.

    Click the CRL distribution point, select the Publish Delta CRLs to this location check box, and then click OK.

    Indicate that you do not want to use a URL as a delta CRL distribution point.

    Click the CRL distribution point, clear the Publish Delta CRLs to this location check box, and then click OK.

    Indicate that you want to publish this location in CRLs to point clients to a delta CRL.

    Click the CRL distribution point, select the Include in CRLs. Clients use this to find Delta CRL locations. check box, and then click OK.

    Indicate that you do not want to publish this location in CRLs to point clients to a Delta CRL.

    Click the CRL distribution point, clear the Include in CRLs. Clients use this to find Delta CRL locations. check box, and then click OK.

  7. Click Yes to stop and restart the Certificate Services service.

Notes

  • To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority.

  • Certificate revocation list URLs can be either HTTP, FTP, LDAP, or FILE addresses. You can use the following variables when specifying the address of the CRL.

    Variable Value

    CAName

    The name of the certification authority

    CAObjectClass

    The object class identifier for a certification authority, used when publishing to an LDAP URL

    CATruncatedName

    The "sanitized" name of the certification authority, truncated to 32 characters with a hash on the end

    CDPObjectClass

    The object class identifier for CRL distribution points, used when publishing to an LDAP URL

    CertificateName

    The renewal extension of the certification authority

    ConfigurationContainer

    The location of the Configuration container in Active Directory

    CRLNameSuffix

    Inserts a name suffix at the end of the file name when publishing a CRL to a file or URL location

    DeltaCRLAllowed

    When a delta CRL is published, this replaces the CRLNameSuffix with a separate suffix to distinguish the delta CRL

    ServerDNSName

    The DNS name of the certification authority server

    ServerShortName

    The NetBIOS name of the certification authority server

  • To stop and restart the Certificate Services service, see Related Topics.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Working with MMC console files
Certificate revocation
Revoke an issued certificate
Schedule the publication of the certificate revocation list
Manually publish the certificate revocation list
View the certificate revocation list