Enabling the Netscape Revocation Method

Applies To: Windows Server 2003 with SP1

To enable a legacy Netscape (iPlanet) application certificate revocation service with a Windows Server 2003 CA, runs the following command on the CA:

certutil -SetReg Policy\RevocationType +AspEnable 

If the IIS (ASP) pages are to be hosted on a separate computer or if the default URL to be used by the Netscape application server is different from the default, it may be reviewed by using the following command-line example:

certutil -getreg Policy\RevocationURL

Where the value is stored in the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\ <CAName> \PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\RevocationURL:

RevocationURL REG_SZ = https://%1/CertEnroll/nsrev_%3.asp

The URL may be changed in the registry. Restart the CA after making a change. The following replacement variables may be used in the revocation URL:

SERVERDNSNAME "%1"

SERVERSHORTNAME %2"

SANITIZEDCANAME "%3"

CERTFILENAMESUFFIX "%4"

DOMAINDN "%5"

CONFIGDN "%6"

SANITIZEDCANAMEHASH "%7"

CRLFILENAMESUFFIX "%8"

CRLDELTAFILENAMESUFFIX "%9"

DSCRLATTRIBUTE "%10"

DSCACERTATTRIBUTE "%11"

DSUSERCERTATTRIBUTE "%12"

DSKRACERTATTRIBUTE "%13"

DSCROSSCERTPAIRATTRIBUTE "%14"

Note that for this revocation service to work, the application, service, or account connecting to this URL must have READ permissions in the certification authority MMC snap-in. If IIS is using a local account, follow the steps for enabling anonymous access in IIS and allowing Anonymous READ access to the CA.

Important

Allowing anonymous access to the CA may expose privacy or security concerns.