Configure a CRL Distribution Point for Certificates

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

Important

This topic describes deployment of DirectAccess in Windows Server 2008 R2. For deployment of DirectAccess in Microsoft Forefront Unified Access Gateway (UAG), see the Forefront UAG DirectAccess Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=179989).

To successfully authenticate an Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS)-based connection, DirectAccess clients must be able to check for certificate revocation of the secure sockets layer (SSL) certificate submitted by the DirectAccess server. To successfully perform intranet detection, DirectAccess clients must be able to check for certificate revocation of the SSL certificate submitted by the network location server. This procedure describes how to do the following:

  • Create a Web-based certificate revocation list (CRL) distribution point using Internet Information Services (IIS)

  • Configure permissions on the CRL distribution shared folder

  • Publish the CRL in the CRL distribution shared folder

To complete these procedures, you must be delegated permissions to configure IIS, file sharing permissions on a shared folder, and Active Directory Certificate Services (AD CS).

In this procedure, you create and configure a Web site to contain the CRL files.

To create a Web-based CRL distribution point

  1. On the IIS server, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. In the console tree, open the server name, and then Sites.

  3. Right-click Default Web Site, and then click Add virtual directory.

  4. In Alias, type the name of the site containing the CRL distribution list (example: CRLD).

  5. In Physical path, click the ellipsis ().

  6. Click the appropriate drive, and then click Make New Folder.

  7. Type the name of a folder that will contain the CRL distribution list files (example: CRLDist), press ENTER, and then click OK twice.

  8. In the contents pane, double-click Directory Browsing.

  9. In the Actions pane, click Enable.

  10. In the console tree, click the new site name folder.

  11. In the contents pane, double-click Configuration Editor.

  12. In Section, open system.webServer\security\requestFiltering.

  13. In the contents pane, double-click allowDoubleEscaping to change it from False to True.

  14. In the Actions pane, click Apply.

In this procedure, you configure the permissions on the CRL distribution file share so that the certification authority (CA) can write CRL files.

To configure permissions on the CRL distribution file shared folder

  1. On the computer that will contain the CRL distribution file shared folder, click Start, and then click Computer.

  2. Double-click the appropriate drive.

  3. In the details pane, right-click the folder that will store the CRL files, and then click Properties.

  4. Click the Sharing tab, and then click Advanced Sharing.

  5. Select Share this folder.

  6. In Share name, add $ to the end of the folder name to hide the share (example: CRLDist$), and then click Permissions.

  7. Click Add, and then click Object Types.

  8. Select Computers, and then click OK.

  9. In Enter the object names to select, type the name of the CA, and then click OK.

  10. In Group or user names, click the name of the CA computer. In Permissions, click Full Control, and then click OK twice.

  11. Click the Security tab, and then click Edit.

  12. Click Add, and then click Object Types.

  13. Select Computers, and then click OK.

  14. In Enter the object names to select, type the name of the CA, and then click OK.

  15. In Group or user names, click the name of the CA computer. In Permissions, click Full Control, click OK, and then click Close.

In this procedure, you manually publish the CRL from the CA and check for CRL files in the folder on the IIS server.

To publish the CRL

  1. On the computer running AD CS, click Start, point to Administrative Tools, and then click Certification Authority.

  2. In the console tree, double-click the CA name, right-click Revoked Certificates, point to All Tasks, and then click Publish.

  3. If prompted, click New CRL, and then click OK.

  4. Click Start, type \\IisServer\SharedFolder$, and then press ENTER.

  5. In the SharedFolder**$** window, you should see two CRL files named CAName and CAName**+**.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.