設定 WEB1 散發憑證撤銷 (Crl)Configure WEB1 to Distribute Certificate Revocation Lists (CRLs)

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

您可以設定網頁伺服器 WEB1 散發 Crl 使用此程序。You can use this procedure to configure the web server WEB1 to distribute CRLs.

在 ca 的擴充功能,它被聲明 ca 從 CRL 會透過 http://pki.corp.contoso.com/pki。In the extensions of the root CA, it was stated that the CRL from the root CA would be available via http://pki.corp.contoso.com/pki. 目前有不 PKI virtual directory 上 WEB1,因此您必須建立一個。Currently, there is not a PKI virtual directory on WEB1, so one must be created.

若要執行此程序,您必須成員的網域系統管理員To perform this procedure, you must be a member of Domain Admins.

注意

在下列程序,取代 account 使用者名稱、網頁伺服器名稱,資料夾名稱位置及其他值的是適用於您的部署。In the procedure below, replace the user account name, the Web server name, folder names and locations, and other values with those that are appropriate for your deployment.

將憑證 WEB1 和 Crl 設定To configure WEB1 to distribute certificates and CRLs

  1. 在 WEB1,系統管理員的身分,以執行 Windows PowerShell 中,輸入explorer c:\,然後按 ENTER 鍵。On WEB1, run Windows PowerShell as an administrator, type explorer c:\, and then press ENTER. Windows 檔案總管開啟 c 磁碟機。Windows Explorer opens to drive C.

  2. 建立新資料夾名 PKI c:磁碟機。Create a new folder named PKI on the C: drive. 若要這樣做,請按一下Home,然後按一下 [新資料夾To do so, click Home, and then click New Folder. 暫時反白顯示的名稱會建立新的資料夾。A new folder is created with the temporary name highlighted. 輸入pki,然後按 ENTER 鍵。Type pki and then press ENTER.

  3. 在 [Windows 檔案總管],以滑鼠右鍵按一下您剛建立的資料夾,將滑鼠游標暫留在,,然後按一下 [特定對象In Windows Explorer, right-click the folder you just created, hover the mouse cursor over Share with, and then click Specific people. 檔案共用對話方塊。The File Sharing dialog box opens.

  4. 檔案共用,輸入憑證發行者,然後按一下 [新增In File Sharing, type Cert Publishers, and then click Add. 在清單中新增了憑證發行者群組。The Cert Publishers group is added to the list. 在清單中,在權限等級,按一下旁邊的箭號憑證發行者,然後按一下 [讀取/寫入In the list, in Permission Level, click the arrow next to Cert Publishers, and then click Read/Write. 按一下共用,然後按完成Click Share, and then click Done.

  5. 關閉 Windows 檔案總管]。Close Windows Explorer.

  6. 打開 IIS 主機。Open the IIS console. 在伺服器管理員中,按一下 [工具,然後按管理員網際網路服務 (IIS)In Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.

  7. 網際網路服務 (IIS) Manager 主控台樹中,展開WEB1In the Internet Information Services (IIS) Manager console tree, expand WEB1. 如果您受邀開始使用 Microsoft 網站平台,請按一下取消If you are invited to get started with Microsoft Web Platform, click Cancel.

  8. 展開網站,然後以滑鼠右鍵按一下網站,預設,然後按一下 [新增 Virtual DirectoryExpand Sites and then right-click the Default Web Site and then click Add Virtual Directory.

  9. 別名,輸入pkiIn Alias, type pki. 實體路徑輸入C:\pki,然後按[確定]In Physical path type C:\pki, then click OK.

  10. 讓匿名存取 pki virtual directory,以便任何 client 可以檢查的 CA 憑證 Crl 有效性。Enable Anonymous access to the pki virtual directory, so that any client can check the validity of the CA certificates and CRLs. 若要這樣做:To do so:

    1. 連接窗格中,確定pki選取。In the Connections pane, ensure that pki is selected.

    2. pki Home驗證On pki Home click Authentication.

    3. 動作窗格中,按編輯權限]In the Actions pane, click Edit Permissions.

    4. 安全性索引標籤上,按編輯On the Security tab, click Edit

    5. 的權限 pki對話方塊中,按新增On the Permissions for pki dialog box, click Add.

    6. 選擇使用者、電腦、服務帳號或群組,輸入匿名的登入。每個人都,然後按一下 [檢查名稱]In the Select Users, Computers, Service Accounts, or Groups, type ANONYMOUS LOGON; Everyone and then click Check Names. 按一下[確定]Click OK.

    7. 按一下[確定]選取 [使用者、電腦、服務帳號或群組對話方塊。Click OK on the Select Users, Computers, Service Accounts or Groups dialog box.

    8. 按一下[確定]的權限 pki對話方塊。Click OK on the Permissions for pki dialog box.

  11. 按一下[確定]屬性 pki對話方塊。Click OK on the pki Properties dialog box.

  12. pki Home窗格中,按兩下 [要求篩選In the pki Home pane, double-click Request Filtering.

  13. 副檔名索引標籤上選取預設要求篩選窗格。The File Name Extensions tab is selected by default in the Request Filtering pane. 動作窗格中,按編輯功能設定In the Actions pane, click Edit Feature Settings.

  14. 編輯要求篩選設定允許點逸出,然後按一下 [ [確定]In Edit Request Filtering Settings, select Allow double escaping and then click OK.

  15. 在網際網路服務 (IIS) 管理員 MMC 中,按一下 [Web 伺服器名稱。In the Internet Information Services (IIS) Manager MMC, click your Web server name. 例如,如果您的網頁伺服器命名 WEB1,按一下WEB1For example, if your Web server is named WEB1, click WEB1.

  16. 動作,按一下 [重新開機In Actions, click Restart. 網際網路服務會停止,且再重新起始。Internet services are stopped and then restarted.