Publish a CRL to another web site when using a Web Enrollment Prox

Discussion in 'Security Software' started by RJ, Apr 19, 2005.

  1. RJ

    RJ Guest

    Offline root CA --> Issuing CA --> Web enrollment proxy.

    Users need to use the Web enrollment proxy to request a cert. I have
    manually published the CRL and Root CA Cert of the offline root CA at an
    Internet accesible web site. I also published the Issuing CA Cert to the
    same web site. Is it possible, when the Issuing CA publishes a new CRL, that
    it can published to a remote computer? I have tried UNC, ftp, and mapping
    network drives. When I publish the new CRL, it always comes back as
    "directory is invalid". It will only let me publish to a local drive. If it
    cannot publish remotely, manual copying when the CRL expires seems to be the
    only option.
    RJ, Apr 19, 2005
    1. Advertisements

  2. RJ

    S. Pidgorny Guest

    You can use Dfs to synchronise files between computers. Alternatively, you
    can point IIS virtual directory to a remote computer (where CRL is located).

    If using LDAP CDP in Active Directory, the information gets replicated in
    S. Pidgorny, Apr 20, 2005
    1. Advertisements

  3. RJ

    Brian Komar Guest

    Another option is to create a script that transfers the CRL to the WEb
    server. The script can use any transfer protocol and be run at regular
    intervals to ensure publication

    For example:
    certutil -CRL
    sleep 3
    copy /y %windir%\system32\certsrv\certenroll\*.crt \\webserver\webshare

    Run the batch file as a user that is assigned the Manage CA permissions.
    Be sure to change the perms on cmd.exe to allow the BATCH account Read
    and Read&Execute permissions

    Brian Komar, Apr 20, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.