Select the product you need help with

How to configure Certificate Services and ISA Server to publish CRLs

Article ID: 318707 - View products that this article applies to.

This article was previously published under Q318707

SUMMARY

This article describes how to configure Internet Information Services (IIS) version 5.0, Certificate Services version 2.0, and Microsoft Internet Security and Acceleration (ISA) Server to allow for client computers to examine the Certificate Revocation List (CRL). Additionally, this article describes how to allow for the root certificate to determine whether the certificate that you issued has been revoked.

Configure Certificate Services to publish the CRL

For more information about how to configure Certificate Services CRL distribution points, click the following article number to view the article in the Microsoft Knowledge Base:

232161

(http://support.microsoft.com/kb/232161/ )

Changing the locations of your Certificate Revocation List (CRL) in Certificate Services 2.0

Note When you configure the distribution point, add an address that can be reached externally.

Allow for client computers to access the CRL

To allow for client computers to access the CRL, follow these steps:

Configure a virtual directory to allow for directory browsing. To do this, use one of the following methods:
- Modify the current CertEnroll directory in IIS to allow for directory browsing.
- Create a new virtual directory that points to the same physical directory. For example, create %SystemRoot%\System32\Certsrv\CertEnroll. Then, allow for directory browsing. For more information about how to set up a virtual directory , click the following article number301392 to view the article301392 in the Microsoft Knowledge Base:
  How to create a virtual folder (Subweb) in IIS 4.0 or IIS 5.0
  (http://support.microsoft.com/kb/How to create a virtual folder (Subweb) in IIS 4.0 or IIS 5.0/ )
Publish the virtual directory with an address that is configured in Certificate Services and that can be reached externally. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
313072
(http://support.microsoft.com/kb/313072/ )
How to configure the Web Publishing service to work with Internet Security and Acceleration Server in Windows 2000

Allow for client computers to verify the certificate chain

To allow for client computers to verify the certificate chain, you must publish the root certificate in a location where client computers can access the certificate. Then, publish the distribution point through ISA Server that Microsoft Knowledge Base Article KB313072 describes. This distribution point is known as the authority information access (AIA) point.

The easiest way to allow for the client computer to verify the certificate chain is to publish the root certificates in the same location as the CRL. To do this, follow these steps.

Note If you have already issued a server certificate in which you need the client computers to be able to see both the CRL and the AIA, you must issue a new certificate.

Log on to the computer as an administrator.
Click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
Right-click the certification authority, and then click Properties.
Click the Policy Module tab, and then click Configure.
Click Add AIA to add a new AIA point.

Note When you add an AIA, make sure that you specify the file name of the root certificate. For example, you can use the following path. Or you can use any other path that you want to use.
http://%SERVER_DNS_NAME%/CertEnroll/%SERVER_DNS_NAME%_%CA_NAME%%CERT_SUFFIX%.crt