CRL Publishing Properties
Applies To: Windows Server 2003 with SP1
The Publish CRLs to this location flag is used to identify the locations to which the CA should publish (or place) the physical CRLs when the CA publishes a CRL either automatically or manually. This flag specifies only where CRLs are published. It is also used by the certutil.exe –dspublish command when you manually publish CRLs to Active Directory. Both the Publish CRL and Publish Delta CRL flags on the Revoked Certificates Properties page are responsible for turning the publishing activity on and off.
The Publish CRLs to this location flag indicates the locations that the CA should attempt to use to publish the CRL. This flag does not configure the server to conduct the publishing activity, but only sets it up so that the CA can determine the appropriate locations to which to publish when publishing occurs. Note that actual publishing activity is governed by the Revoked Certificates properties.
The Include in all CRLs flag specifies that the Active Directory publication location should be included in the CRL itself. This information is useful for publishing offline CRLs to Active Directory by using the Certutil.exe tool. To use this, at a command prompt, type certutil –dspublish, and then press ENTER.
The Include in CDP extension of issued certificates flag is used by clients to find the CRL distribution point location for the CRL. You should always specify this flag unless you do not want to use client-side checking or application revocation checking for issued certificates.
The Include in CRLs. Clients use this to find Delta CRLs flag is used by clients to determine if a delta CRL exists and where it is located. The location may or may not be the same as the CRL location. The delta CRL location is identified in the CRL by use of the freshestCRL extension in the CRL object itself.
You may want to have a base CRL in an LDAP location in Active Directory and a delta CRL at an alternate HTTP location because of the differences in replication. If the delta CRL will be issued at an interval that is shorter than the replication convergence time for your forest, the delta CRL should not be published to Active Directory. In many Active Directory networks, it may take hours for Active Directory objects to fully replicate throughout the network. For delta CRLs that may have a lifetime only of a few hours, the replication latency often means that Active Directory clients receive a delta CRL object that has already expired by the time it reaches the client. You can avoid this latency by publishing the delta CRL to an HTTP location that is serviced by fault-tolerant Web servers, where all clients can immediately retrieve a fresh delta CRL.
Table 24 CRL Publishing Properties
| Display name | Description | Decimal value | Hexadecimal value |
|---|---|---|---|
Publish CRLs to this location |
Used by the CA to determine whether to publish base CRLs to this URL |
1 |
0x00000001 |
Include in the CRL distribution point extension of issued certificates |
Used by clients during revocation checking to find base CRL locations |
2 |
0x00000002 |
Include in [base] CRLs |
Used by clients during revocation checking to find delta CRL locations from base CRLs |
4 |
0x00000004 |
Include in all CRLs |
Not used during revocation checking. Specifies where to publish in Active Directory when publishing manually using certutil -dspublish. Can be used by an offline CA to specify the LDAP URL for manually publishing CRLs. Must also set the explicit configuration container in the URL or set the DSConfigDN value in the registry: certutil –setreg ca\DSConfigDN CN= |
8 |
0x00000008 |
|
|
16 |
0x00000010 |
|
|
32 |
0x00000020 |
Publish delta CRLs to this location |
Used by the CA to determine whether to publish delta CRLs to this URL |
64 |
0x00000040 |