Specify CRL Distribution Points

http://technet.microsoft.com/en-us/library/cc753296.aspx

Applies To: Windows Server 2008 R2, Windows Server 2012

You can add, remove, or modify certificate revocation list (CRL) distribution points in issued certificates by using the following procedure. However, modifying the URL for a CRL distribution point only affects newly issued certificates. Previously issued certificates will continue to reference the original location.

You must be a certification authority (CA) administrator to complete this procedure. For more information, seeImplement Role-Based Administration.

To specify CRL distribution points in issued certificates

1. Open the Certification Authority snap-in.

2. In the console tree, click the name of the CA.

3. On the Action menu, click Properties, and then click theExtensions tab. Confirm that Select extension is set toCRL Distribution Point (CDP).

4. Do one or more of the following. (The list of CRL distribution points is in theSpecify locations from which users can obtain a certificate revocation list (CRL) box.)

    

   To add a new CRL distribution point

   Click Add, type the name of the new CRL distribution point, and then clickOK.

   To remove a CRL distribution point from the list

   Click the CRL distribution point, click Remove,and then click OK.

   To indicate that you want to use a URL as a CRL distribution point

   Click the CRL distribution point, select the Include in the CDP extension of issued certificatescheck box, and then click OK.

   To indicate that you do not want to use a URL as a CRL distribution point

   Click the CRL distribution point, clear the Include in the CDP extension of issued certificatescheck box, and then click OK.

   To indicate that you want to use a URL as a delta CRL distribution point

   Click the CRL distribution point, select the Publish Delta CRLs to this locationcheck box, and then click OK.

   To indicate that you do not want to use a URL as a delta CRL distribution point

   Click the CRL distribution point, clear the Publish Delta CRLs to this locationcheck box, and then click OK.

   To indicate that you want to publish this location in CRLs to point clients to a delta CRL

   Click the CRL distribution point, select the Include in CRLs. Clients use this to find Delta CRL locationscheck box, and then click OK.

   To indicate that you do not want to publish this location in CRLs to point clients to a delta CRL

   Click the CRL distribution point, clear the Include in CRLs. Clients use this to find Delta CRL locationscheck box, and then click OK.

5. Click Yes to stop and restart Active Directory Certificate Services (AD CS).

CRL URLs can be HTTP, FTP, LDAP, or FILE addresses. You can use the following variables when specifying the address of the CRL.

 

VariableValue

CAName

The name of the CA

CAObjectClass

The object class identifier for a CA, used when publishing to an LDAP URL

CATruncatedName

The "sanitized" name of the CA, truncated to 32 characters with a hash at the end

CDPObjectClass

The object class identifier for CRL distribution points, used when publishing to an LDAP URL

CertificateName

The renewal extension of the CA

ConfigurationContainer

The location of the Configuration container in Active Directory Domain Services (AD DS)

CRLNameSuffix

Inserts a name suffix at the end of the file name when publishing a CRL to a file or URL location

DeltaCRLAllowed

When a delta CRL is published, this replaces the CRLNameSuffix variable with a separate suffix to distinguish the delta CRL from the CRL

ServerDNSName

The DNS name of the CA server

ServerShortName

The NetBIOS name of the CA server

Additional references

• Configuring Certificate Revocation
  
  
• Manage Certificate Revocation