在 CA1 設定 CDP 及 AIA 擴充功能Configure the CDP and AIA Extensions on CA1

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

您可以使用此程序,設定憑證撤銷清單 (CRL) Distribution 點 (CDP) 和授權的存取 (AIA) 設定在 CA1。You can use this procedure to configure the Certificate Revocation List (CRL) Distribution Point (CDP) and the Authority Information Access (AIA) settings on CA1.

若要執行此程序,您必須網域系統管理員」的成員。To perform this procedure, you must be a member of Domain Admins.

若要 CA1 上設定 CDP 和 AIA 擴充功能To configure the CDP and AIA extensions on CA1

  1. 在伺服器管理員中,按一下工具,然後按一下 [憑證授權單位In Server Manager, click Tools and then click Certification Authority.

  2. 憑證授權單位主機樹上,以滑鼠右鍵按一下corp CA1 CA,然後按屬性In the Certification Authority console tree, right-click corp-CA1-CA, and then click Properties.

    注意

    如果您不為電腦 CA1,且您的網域名稱不同在此範例中,您的 CA 的名稱是不同。The name of your CA is different if you did not name the computer CA1 and your domain name is different than the one in this example. CA 名稱的格式是網域-CAComputerNameCA。The CA name is in the format domain-CAComputerName-CA.

  3. 按一下的擴充功能索引標籤,請確定選取 [擴充功能設定為 [ CRL Distribution 點 (CDP),在指定的使用者可以取得憑證撤銷清單 (CRL),執行下列動作:Click the Extensions tab. Ensure that Select extension is set to CRL Distribution Point (CDP), and in the Specify locations from which users can obtain a certificate revocation list (CRL), do the following:

    1. 選取的項目file:\/\/\\\\<ServerDNSName>\/CertEnroll\/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl,然後按一下 [移除Select the entry file:\/\/\\\\<ServerDNSName>\/CertEnroll\/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl, and then click Remove. 確認移除,按一下 [In Confirm removal, click Yes.

    2. 選取的項目http:\/\/<ServerDNSName>\/CertEnroll\/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl,然後按一下 [移除Select the entry http:\/\/<ServerDNSName>\/CertEnroll\/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl, and then click Remove. 確認移除,按一下 [In Confirm removal, click Yes.

    3. 選取的項目開頭路徑ldap:\/\/CN\=<CATruncatedName><CRLNameSuffix>,CN\=<ServerShortName>,然後按一下 [移除Select the entry that starts with the path ldap:\/\/CN\=<CATruncatedName><CRLNameSuffix>,CN\=<ServerShortName>, and then click Remove. 確認移除,按一下 [In Confirm removal, click Yes.

  4. 指定的使用者可以取得憑證撤銷清單消位置,按一下 [新增]In Specify locations from which users can obtain a certificate revocation list (CRL), click Add. 加入位置對話方塊。The Add Location dialog box opens.

  5. 加入位置,請在位置,輸入http:\/\/pki.corp.contoso.com\/pki\/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl,然後按一下 [ [確定]In Add Location, in Location, type http:\/\/pki.corp.contoso.com\/pki\/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl, and then click OK. 這會讓您回到 [CA 屬性對話方塊。This returns you to the CA properties dialog box.

  6. 的擴充功能索引標籤上,選取下列核取方塊:On the Extensions tab, select the following check boxes:

    • 包含的 Crl。Include in CRLs. 戶端這個尋找 Delta CRL 位置Clients use this to find the Delta CRL locations

    • 包含在發行憑證的 CDP 擴充功能Include in the CDP extension of issued certificates

  7. 指定的使用者可以取得憑證撤銷清單消位置,按一下 [新增]In Specify locations from which users can obtain a certificate revocation list (CRL), click Add. 加入位置對話方塊。The Add Location dialog box opens.

  8. 加入位置,請在位置,輸入file:\/\/\\\\pki.corp.contoso.com\/pki\/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl,然後按一下 [ [確定]In Add Location, in Location, type file:\/\/\\\\pki.corp.contoso.com\/pki\/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl, and then click OK. 這會讓您回到 [CA 屬性對話方塊。This returns you to the CA properties dialog box.

  9. 的擴充功能索引標籤上,選取下列核取方塊:On the Extensions tab, select the following check boxes:

    • 到此處發行 CrlPublish CRLs to this location

    • 到此處發行 Delta CrlPublish Delta CRLs to this location

  10. 變更選取擴充功能授權的存取 (AIA),在指定的位置使用者可以獲得憑證撤銷清單 (CRL),執行下列動作:Change Select extension to Authority Information Access (AIA), and in the Specify locations from which users can obtain a certificate revocation list (CRL), do the following:

    1. 選取的項目開頭路徑ldap:\/\/CN\=<CATruncatedName>,CN\=AIA,CN\=Public Key Services,然後按一下 [移除Select the entry that starts with the path ldap:\/\/CN\=<CATruncatedName>,CN\=AIA,CN\=Public Key Services, and then click Remove. 確認移除,按一下 [In Confirm removal, click Yes.

    2. 選取的項目http:\/\/<ServerDNSName>\/CertEnroll\/<ServerDNSName>\_<CaName><CertificateName>.crt,然後按一下 [移除Select the entry http:\/\/<ServerDNSName>\/CertEnroll\/<ServerDNSName>\_<CaName><CertificateName>.crt, and then click Remove. 確認移除,按一下 [In Confirm removal, click Yes.

    3. 選取的項目file:\/\/\\\\<ServerDNSName>\/CertEnroll\/<ServerDNSName>\_<CaName><CertificateName>.crt,然後按一下 [移除Select the entry file:\/\/\\\\<ServerDNSName>\/CertEnroll\/<ServerDNSName>\_<CaName><CertificateName>.crt, and then click Remove. 確認移除,按一下 [In Confirm removal, click Yes.

  11. 指定的使用者可以取得憑證撤銷清單消位置,按一下 [新增]In Specify locations from which users can obtain a certificate revocation list (CRL), click Add. 加入位置對話方塊。The Add Location dialog box opens.

  12. 加入位置,請在位置,輸入http:\/\/pki.corp.contoso.com\/pki\/<ServerDNSName>\_<CaName><CertificateName>.crt,然後按一下 [ [確定]In Add Location, in Location, type http:\/\/pki.corp.contoso.com\/pki\/<ServerDNSName>\_<CaName><CertificateName>.crt, and then click OK. 這會讓您回到 [CA 屬性對話方塊。This returns you to the CA properties dialog box.

  13. 的擴充功能索引標籤,選取加入 AIA 發行憑證的On the Extensions tab, select Include in the AIA of issued certificates.

  14. 加入位置,請在位置,輸入file:\/\/\\\\pki.corp.contoso.com\/pki\/<ServerDNSName>\_<CaName><CertificateName>.crt,然後按一下 [ [確定]In Add Location, in Location, type file:\/\/\\\\pki.corp.contoso.com\/pki\/<ServerDNSName>\_<CaName><CertificateName>.crt, and then click OK. 這會讓您回到 [CA 屬性對話方塊。This returns you to the CA properties dialog box.

    重要

    確認加入 AIA 擴充功能發行憑證的未選取。Ensure that Include in the AIA extension of issued certificates is not selected.

  15. 重新 Active Directory 憑證服務提示,請按一下否]When prompted to restart Active Directory Certificate Services, click No. 您稍後將會重新開機服務。You will restart the service later.