Selecting a CRL Publication Location

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Selecting a location for CRL publication involves answering the following questions:

• Are the certificate revocation lists needed internally, externally, or both?

  CRLs have to be published where they can be accessed to validate or invalidate certificates. If the PKI is within the firewall of the organization and certificates are published to Active Directory, then LDAP can be used to publish CRLs. If the certificates are used outside the organization or if there is no directory service, http can be used to publish CRLs to a Web server because HTTP traffic can travel more reliably through a firewall than LDAP traffic.

• Do you require multiple CRL publication locations for fault tolerance or to support greater numbers of geographically diverse clients?

  If the answer is yes, choose the domain controllers and Web servers that provide you with greater coverage and improved response times. This way, if one CRL publication point becomes unavailable, the information is available from other publication points.

Figure 16.19 shows this decision process.

Figure 16.19   Selecting a CRL Publication Location