Export (0) Print
Expand All

Enabling the Netscape Revocation Method

Updated: August 13, 2009

Applies To: Windows Server 2003 with SP1

To enable a legacy Netscape (iPlanet) application certificate revocation service with a Windows Server 2003 CA, runs the following command on the CA:

certutil -SetReg Policy\RevocationType +AspEnable 

If the IIS (ASP) pages are to be hosted on a separate computer or if the default URL to be used by the Netscape application server is different from the default, it may be reviewed by using the following command-line example:

certutil -getreg Policy\RevocationURL

Where the value is stored in the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ <CAName> \PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\RevocationURL:

RevocationURL REG_SZ = https://%1/CertEnroll/nsrev_%3.asp

The URL may be changed in the registry. Restart the CA after making a change. The following replacement variables may be used in the revocation URL:

SERVERDNSNAME "%1"

SERVERSHORTNAME %2"

SANITIZEDCANAME "%3"

CERTFILENAMESUFFIX "%4"

DOMAINDN "%5"

CONFIGDN "%6"

SANITIZEDCANAMEHASH "%7"

CRLFILENAMESUFFIX "%8"

CRLDELTAFILENAMESUFFIX "%9"

DSCRLATTRIBUTE "%10"

DSCACERTATTRIBUTE "%11"

DSUSERCERTATTRIBUTE "%12"

DSKRACERTATTRIBUTE "%13"

DSCROSSCERTPAIRATTRIBUTE "%14"

Note that for this revocation service to work, the application, service, or account connecting to this URL must have READ permissions in the certification authority MMC snap-in. If IIS is using a local account, follow the steps for enabling anonymous access in IIS and allowing Anonymous READ access to the CA.

ImportantImportant
Allowing anonymous access to the CA may expose privacy or security concerns.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft