在 CA1 上配置 CDP 和 AIA 扩展Configure the CDP and AIA Extensions on CA1

适用于:Windows Server(半年频道)、Windows Server 2016Applies to: Windows Server (Semi-Annual Channel), Windows Server 2016

你可以使用此过程在 CA1 上配置证书吊销列表, (CRL) 分发点 (CDP) 和颁发机构信息访问 (AIA) 设置。You can use this procedure to configure the Certificate Revocation List (CRL) Distribution Point (CDP) and the Authority Information Access (AIA) settings on CA1.

若要执行此过程,您必须是 Domain Admins 的成员。To perform this procedure, you must be a member of Domain Admins.

在 CA1 上配置 CDP 和 AIA 扩展To configure the CDP and AIA extensions on CA1

  1. 在服务器管理器中,单击 “工具”,然后单击 “证书颁发机构”In Server Manager, click Tools and then click Certification Authority.

  2. 在 "证书颁发机构" 控制台树中,右键单击 " CA1-CA",然后单击 "属性"。In the Certification Authority console tree, right-click corp-CA1-CA, and then click Properties.

    备注

    如果你未将计算机命名为 CA1,并且你的域名与此示例中的名称不同,则你的 CA 名称不同。The name of your CA is different if you did not name the computer CA1 and your domain name is different than the one in this example. CA 名称的格式为domain - CAComputerName-ca。The CA name is in the format domain-CAComputerName-CA.

  3. 单击 "扩展" 选项卡。确保 "选择扩展" 设置为 " **crl 分发点 (CDP") **,并在 "**指定用户可以从中获取证书吊销列表 (crl) **中执行以下操作:Click the Extensions tab. Ensure that Select extension is set to CRL Distribution Point (CDP), and in the Specify locations from which users can obtain a certificate revocation list (CRL), do the following:

    1. 选择该条目 file://\\<ServerDNSName>\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl ,然后单击 "删除"。Select the entry file://\\<ServerDNSName>\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl, and then click Remove. 在 "确认删除" 中单击 "是"In Confirm removal, click Yes.

    2. 选择该条目 http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl ,然后单击 "删除"。Select the entry http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl, and then click Remove. 在 "确认删除" 中单击 "是"In Confirm removal, click Yes.

    3. 选择以路径开头的条目 ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName> ,然后单击 "删除"。Select the entry that starts with the path ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>, and then click Remove. 在 "确认删除" 中单击 "是"In Confirm removal, click Yes.

  4. 在 "**指定用户可以从中获取证书吊销列表 (CRL) **中,单击"添加"。In Specify locations from which users can obtain a certificate revocation list (CRL), click Add. "添加位置" 对话框将打开。The Add Location dialog box opens.

  5. 在 "添加位置" 的 "位置" 中,键入 http://pki.corp.contoso.com/pki/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl ,然后单击 "确定"In Add Location, in Location, type http://pki.corp.contoso.com/pki/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl, and then click OK. 这会返回到 CA 属性对话框。This returns you to the CA properties dialog box.

  6. 在 "扩展" 选项卡上,选中以下复选框:On the Extensions tab, select the following check boxes:

    • 包括在 Crl 中。客户端使用它来查找增量 CRL 位置Include in CRLs. Clients use this to find the Delta CRL locations

    • 包含在已颁发证书的 CDP 扩展中Include in the CDP extension of issued certificates

  7. 在 "**指定用户可以从中获取证书吊销列表 (CRL) **中,单击"添加"。In Specify locations from which users can obtain a certificate revocation list (CRL), click Add. "添加位置" 对话框将打开。The Add Location dialog box opens.

  8. 在 "添加位置" 的 "位置" 中,键入 file://\\pki.corp.contoso.com\pki\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl ,然后单击 "确定"In Add Location, in Location, type file://\\pki.corp.contoso.com\pki\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl, and then click OK. 这会返回到 CA 属性对话框。This returns you to the CA properties dialog box.

  9. 在 "扩展" 选项卡上,选中以下复选框:On the Extensions tab, select the following check boxes:

    • 将 CRL 发布到此位置Publish CRLs to this location

    • 将增量 Crl 发布到此位置Publish Delta CRLs to this location

  10. 将 "选择扩展" 更改为 "**颁发机构信息访问 (AIA") **,并在 "**指定用户可以从中获取证书吊销列表 (CRL) **中执行以下操作:Change Select extension to Authority Information Access (AIA), and in the Specify locations from which users can obtain a certificate revocation list (CRL), do the following:

    1. 选择以路径开头的条目 ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services ,然后单击 "删除"。Select the entry that starts with the path ldap:///CN=<CATruncatedName>,CN=AIA,CN=Public Key Services, and then click Remove. 在 "确认删除" 中单击 "是"In Confirm removal, click Yes.

    2. 选择该条目 http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt ,然后单击 "删除"。Select the entry http://<ServerDNSName>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt, and then click Remove. 在 "确认删除" 中单击 "是"In Confirm removal, click Yes.

    3. 选择该条目 file://\\<ServerDNSName>\CertEnroll\<ServerDNSName><CaName><CertificateName>.crt ,然后单击 "删除"。Select the entry file://\\<ServerDNSName>\CertEnroll\<ServerDNSName><CaName><CertificateName>.crt, and then click Remove. 在 "确认删除" 中单击 "是"In Confirm removal, click Yes.

  11. 在 "指定用户可以从中获取此 CA 的证书的位置" 中,单击 "添加"。In Specify locations from which users can obtain the certificate for this CA, click Add. "添加位置" 对话框将打开。The Add Location dialog box opens.

  12. 在 "添加位置" 的 "位置" 中,键入 http://pki.corp.contoso.com/pki/<ServerDNSName>_<CaName><CertificateName>.crt ,然后单击 "确定"In Add Location, in Location, type http://pki.corp.contoso.com/pki/<ServerDNSName>_<CaName><CertificateName>.crt, and then click OK. 这会返回到 CA 属性对话框。This returns you to the CA properties dialog box.

  13. 在 "扩展" 选项卡上,选择 "在已颁发证书的 AIA 中包含"On the Extensions tab, select Include in the AIA of issued certificates.

  14. 当系统提示重新启动 Active Directory 证书服务时,单击 ""。When prompted to restart Active Directory Certificate Services, click No. 稍后将重新启动该服务。You will restart the service later.