Specify certificate revocation list distribution points in issued certificates
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
You can add, remove, or modify certificate revocation list distribution points (CDPs) in issued certificates by using the following procedure. However, modifying the URL for a CDP only affects newly issued certificates. Previously issued certificates will continue to reference the original location.
To specify certificate revocation list distribution points in issued certificates
Log on to the system as a Certification Authority Administrator.
Open Certification Authority.
In the console tree, click the certification authority.
Where?
- Certification Authority (Computer)/CA name
On the Action menu, click Properties.
On the Extensions tab, confirm that Select extension is set to CRL Distribution Point (CDP).
Do one or more of the following. (The list of CRL distribution points is in the Specify locations from which users can obtain a certificate revocation list (CRL) box.)
To Do this Add a new certificate revocation list (CRL) distribution point.
Click Add, type the name of the new CRL distribution point, and click OK.
Remove a CRL distribution point from the list.
Click the CRL distribution point, and then click Remove and click OK.
Indicate that you want to use a URL as a CRL distribution point.
Click the CRL distribution point, select the Include in the CDP extension of issued certificates check box, and then click OK.
Indicate that you do not want to use a URL as a CRL distribution point.
Click the CRL distribution point, clear the Include in the CDP extension of issued certificates check box, and then click OK.
Indicate that you want to use a URL as a delta CRL distribution point.
Click the CRL distribution point, select the Publish Delta CRLs to this location check box, and then click OK.
Indicate that you do not want to use a URL as a delta CRL distribution point.
Click the CRL distribution point, clear the Publish Delta CRLs to this location check box, and then click OK.
Indicate that you want to publish this location in CRLs to point clients to a delta CRL.
Click the CRL distribution point, select the Include in CRLs. Clients use this to find Delta CRL locations. check box, and then click OK.
Indicate that you do not want to publish this location in CRLs to point clients to a Delta CRL.
Click the CRL distribution point, clear the Include in CRLs. Clients use this to find Delta CRL locations. check box, and then click OK.
Click Yes to stop and restart the Certificate Services service.
Notes
To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority.
Certificate revocation list URLs can be either HTTP, FTP, LDAP, or FILE addresses. You can use the following variables when specifying the address of the CRL.
Variable Value CAName
The name of the certification authority
CAObjectClass
The object class identifier for a certification authority, used when publishing to an LDAP URL
CATruncatedName
The "sanitized" name of the certification authority, truncated to 32 characters with a hash on the end
CDPObjectClass
The object class identifier for CRL distribution points, used when publishing to an LDAP URL
CertificateName
The renewal extension of the certification authority
ConfigurationContainer
The location of the Configuration container in Active Directory
CRLNameSuffix
Inserts a name suffix at the end of the file name when publishing a CRL to a file or URL location
DeltaCRLAllowed
When a delta CRL is published, this replaces the CRLNameSuffix with a separate suffix to distinguish the delta CRL
ServerDNSName
The DNS name of the certification authority server
ServerShortName
The NetBIOS name of the certification authority server
To stop and restart the Certificate Services service, see Related Topics.
Information about functional differences
- Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.
See Also
Concepts
Working with MMC console files
Certificate revocation
Revoke an issued certificate
Schedule the publication of the certificate revocation list
Manually publish the certificate revocation list
View the certificate revocation list