Configure Active Directory Certificate Services for CRL Locations

Updated: April 15, 2010

Applies To: Windows Server 2008 R2

If you are using Active Directory Certificate Services, you must configure the certification authority (CA) that issues the Secure Sockets Layer (SSL) certificates to the network location server and the DirectAccess server with additional certificate revocation list (CRL) distribution settings. These settings are required so that DirectAccess clients can perform certificate revocation checking for SSL certificates of the network location server (when located on the intranet) and the DirectAccess server (for Internet Protocol over Secure Hypertext Transfer Protocol [IP-HTTPS]-based connections).

Prior to this procedure, you should have determined the following:

1. The uniform resource locator (URL) or universal naming convention (UNC) path for the CRL distribution point that is accessible from the intranet for the SSL certificate needed for network location detection.

2. The URL or UNC path for the CRL distribution point that is accessible from the Internet for the SSL certificate needed by the DirectAccess server for IP-HTTPS connections.

3. The UNC path for the shared folder that will contain the CRL files written by the CA.

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to change global settings on an AD CS-based CA. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

The following procedure is for configuring a single CRL distribution point for issued certificates and to configure a single corresponding location to store the CRL files. If you are using the same URL or UNC path for both your intranet and Internet CRL location, you only need to perform this procedure once. If you are using different locations for the intranet and Internet CRL distribution points, perform this procedure twice on the appropriate CA.

To configure CRL distribution settings

1. On the CA computer, click Start, point to Administrative Tools, and then click Certification Authority.

2. In the console tree, right-click the name of the CA, and then click Properties.

3. Click the Extensions tab, and then click Add.

4. In Location, type the URL or UNC path for the CRL distribution point. For example, type https://crl.contoso.com/crld/.

5. In Variable, click <CAName>, and then click Insert.

6. In Variable, click <CRLNameSuffix>, and then click Insert.

7. In Variable, click <DeltaCRLAllowed>, and then click Insert.

8. In Location, type .crl at the end of the Location string, and then click OK.

9. Select Include in CRLs. Clients use this to find Delta CRL locations. and Include in the CDP extension of issued certificates, and then click OK.

10. Click Add.

11. In Location, type the UNC path for the shared folder location that will contain the CRL files.

12. In Variable, click <CAName>, and then click Insert.

13. In Variable, click <CRLNameSuffix>, and then click Insert.

14. In Variable, click <DeltaCRLAllowed>, and then click Insert.

15. In Location, type .crl at the end of the string, and then click OK.

16. Select Publish CRLs to this location and Publish Delta CRLs to this location, and then click OK.

17. Click Yes to restart Active Directory Certificate Services.

18. Go to the location specified in step 11 and verify that CRL files exist.

19. Access the UNC or URL specified in step 4 and verify that the same CRL files exist.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.