question

51892182 avatar image
0 Votes"
51892182 asked DaisyZhou-MSFT answered

Standalone CA issue cert, after setreg CA\CRLPublicationURLs, no CRL attribute in cert

i follow this guide https://social.technet.microsoft.com/wiki/contents/articles/15037.ad-cs-step-by-step-guide-two-tier-pki-hierarchy-deployment.aspx
first, i want to check how to set CRL in cert
i installed a standalone CA, and run certutil setreg ca\crlpublicationsurls "1:http://192.168.0.6/CertEnroll/%1_%2_%3_%4.crt"
after submit csr, retrieve back crt, i see there is no CRL field in Details of the cert

windows-server-security
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

"1:http://192.168.0.6/CertEnroll/%1_%2_%3_%4.crt"

this URL is invalid. prefix 1 instructs CA to publish CRL file to specified location and it doesn't include the URL to issued certificate. CA can publish CRLs only to file system using absolute local or UNC path, not HTTP. HTTP URLs to include in certificate use different prefixes:

certutil -setreg CA\CRLPublicationURLs "1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n2: http://pki.fabrikam.com/CertEnroll/%3%8%9.crl"

Please, read referenced article carefully.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @51892182,

Thank you for your update. And I am so glad that we add CRL entries successfully.

Based on my knowledge, you can add all entries, or 1,3 and 4 entries, or 1 and 2 entries.


112915-en.png


Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



en.png (127.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered 51892182 commented

Hello @51892182,

Thank you for posting here.

Hope the information provided by Crypt32 is helpful to you.

As the article mentioned, you should do as below:

111935-crl1.png


And in your command, there should be no s in "certutil setreg ca\crlpublicationsurls".

111918-crl2.png


Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.




crl1.png (19.1 KiB)
crl2.png (4.7 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Daisy

thank you for the help
111992-image.png



it is my typing mistake in the question, i have no s in command
and checked the register, it should no problem, but i only set 1http url only, is it the problem?

0 Votes 0 ·
image.png (7.0 KiB)

Hello @51892182,

Thank you for your update.

Based on my knowledge, I think there should be at least the following local location, and you can also add http/ldap/file locations if needed.

C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl


Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hi Daisy

112484-image.png



ii tried again only one C:\ with static CA name
but still missing CRL field in the cert
there is no error log
i also restart the service every time
any other suggestion?
i also wonder the key 0 1 2 at the beginning is the priority or not?

0 Votes 0 ·
image.png (5.0 KiB)

Hi Daisy

i recover original registry, it works
the original have 4 locations
112571-image.png


ofcourse, i dont know which field is mandatory, which is not, just replace the http one,
i also cannot find any document for this

0 Votes 0 ·
image.png (6.9 KiB)