By default, full certificate revocation lists (CRLs) and delta certificate revocation lists (delta CRLs) are accessible only through the LDAP protocol.
In other words, by default, only computers and servers that are members of your Active Directory domain can check the revocation of certificates used in your company.
However, you will see that it's also possible to access these revocation lists (CRL and CRL delta) via the HTTP protocol if you wish.
For your clients to be able to access the revocation lists using the HTTP protocol, you obviously need a web server (IIS in the case of Windows Server).
However, you can also install the web interface of your certification authority as explained in our "Install the web interface of a certificate authority (CA) on Windows Server 2016" tutorial.
Indeed, when you install this role service, the IIS web server will be installed and configured automatically to allow access to revocation lists in HTTP.
Adding the "Certification Authority Web Enrollment" role service will also add the "Web Server (IIS)" role for HTTP protocol support.
Once the "Certification Authority Web Enrollment" role service of your CA is installed and configured, open IIS Manager which was automatically installed.
In this IIS manager, expand the "Default Web Site" node and you will see that 2 folders are present for this site :
As you can see, if you access the "certsrv" folder of this web server via a web browser, you will arrive on the web interface of your certification authority.
As explained previously, when you install the web interface of your certification authority, a virtual folder named "CertEnroll" is also configured by default on the Default Web Site.
To see its contents, select this "CertEnroll" folder and click on the "Explore" link (in the right column).
As you can see, this "CertEnroll" virtual folder present on IIS points to the physical folder "C:\Windows\system32\CertSrv\CertEnroll".
In this folder, you will find :
If you open the ".crt" certificate present, you will see that it's indeed the certificate of your certification authority.
This is referenced in your certificates thanks to the AIA extension included in your certificates.
If you go to the "Details" tab of this certificate and select the "Basic Constraints" field, you will see that it's a CA certificate.
If you double-click on the "[certification authority name].crl" file, you will see that it's the full certificate revocation list (CRL) of your certification authority.
If you go to the "Revocation List" tab of this certificate revocation list, you will see the list of serial numbers of certificates that have been revoked on your certification authority.
If you double click on the file with a "+" at the end ([certification authority name].crl), you will see that it's the delta certificate revocation list (delta CRL) from your certificate authority.
If you go to the "Revocation List" tab of this delta certificate revocation list (delta CRL), you will be able to see the list of certificates that were revoked after the complete certificate revocation list (CRL) was published.
As you can see, the ASP script present in this folder is used for certificate revocation checking.
Note that for the delta revocation lists to also be accessible via this "CertEnroll" virtual folder, a specific configuration setting must be correctly configured.
This is the case by default if you have installed the web interface of your certification authority.
However, if you have manually created this virtual folder on an existing IIS web server, it's necessary to check its configuration.
To do this, select your "CertEnroll" virtual folder and go to the configuration editor.
In the configuration editor that appears, go to the "system.webServer\security\requestFiltering" section.
In the table that appears, make sure that the value of the "allowDoubleEscaping" setting is "True".
This authorizes access to files containing special characters in their name (including the certificate revocation list beyond whose file name ends with a "+").
Windows Server 8/15/2014
Windows Server 11/3/2023
Windows Server 11/24/2023
Windows Server 9/15/2023
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.