Blog Post

Skype for Business Blog
11 MIN READ

Updated: Creating a Certificate Revocation List Distribution Point for Your Internal Certification Authority

NextHop_Team's avatar
NextHop_Team
Brass Contributor
May 20, 2019
First published on TECHNET on Dec 17, 2012 Certificates rely on certification authorities to maintain an updated list of revoked certificates issued by the public key ...
Updated May 20, 2019
Version 2.0
Certificates
NextHop
security
setup deployment
MFisherIT's avatar
MFisherIT
Copper Contributor
Nov 05, 2020

Within server 2016 Certificate Authority (certsrv.msc) > [CA Name] Properties > Extensions > CRL Distribution Point (CDP) > Add Location dialog window; LDAP uri/url/location is defined with three forward slashes, do not add the "DC=contoso,DC=com". No not use a comma between "<ConfigurationContainer>" and "<CDPObjectClass>" even though the "Description of selected variable:" window for "<ConfigurationContainer>" shows it followed by a comma. In the following example the "CN=<ServerShortName>," portion uses <CaName> or can use the Failover Cluster role name:

ldap:///<CaName><CRLNameSuffix>,CN=<CaName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>

As listed in:

  1. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486805(v=ws.11)#verifying-certificate-extensions-on-the-destination-ca
  2. https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-the-cdp-and-aia-extensions-on-ca1
  3. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831574(v=ws.11)