3.1.1.8 CRL Publishing Locations

  • Article

These data elements each contain a list of one or more CRL publishing locations, as defined in [MS-WCCE] section 3.2.1.1.4.

Certificate Services Remote Administration Protocol server implementations that also implement the Windows Client Certificate Enrollment Protocol or the ICertPassage Remote Protocol use the same configuration data elements, defined here, for those implementations.

Each of the following elements is used in the PublishCRL and PublishCRLs methods:

  • Config_CA_CDP_Publish_To_Base

    This element is initialized to contain a local registry location:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\

  • Config_CA_CDP_Publish_To_Delta

    This element is initialized to contain a local registry location:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\

  • Config_CA_CDP_Include_In_CRL_Publish_Locations_Extension

  • Config_CA_CDP_Include_In_CRL_Freshest_CRL_Extension

  • Config_CA_CDP_Include_In_CRL_IDP_Extension

CRL publishing locations MUST be in the following format:

Config_CA_CDP_Publish_To_Base and Config_CA_CDP_Publish_To_Delta

For a file location, a valid local file path starting with a single-letter drive designator (for example, "D:"), a UNC network file path, or a Uniform Resource Identifier (URI) in one of the following formats:

file://{DriveLetter}:\{Path}\{Filename}

file:///{DriveLetter}:\{Path}\{Filename}

file://\\{HostName}\{Path}\{Filename}

file:///\\{HostName}\{Path}\{Filename}

where

  • DriveLetter is a single-letter drive designator on the local machine.

  • HostName is the fully qualified domain name (FQDN) or NetBIOS name of a host on the network.

  • Path is a file path that is available on the drive DriveLetter on the local machine or on the host HostName over the network.

For an LDAP location, a path that starts with "ldap:"

  • The Config_CA_CDP_Include_In_CRL_Publish_Locations_Extension MUST start with "ldap:".

  • The Config_CA_CDP_Include_In_CRL_Freshest_CRL_Extension CRL publishing location MUST be a valid UNC network path or start with "http:", "ftp:", "ldap:", or "file:".

  • The Config_CA_CDP_Include_In_CRL_IDP_Extension CRL publishing location MUST start with "http:", "ftp:", or "ldap:".

Each CRL publishing location that references a directory path or other hierarchical location MUST specify a file name or attribute name in addition to a directory path or schema location.<10>

  • CRL_Publish_AD_Connection: An ADConnection handle as defined in [MS-ADTS] section 7.3. This element is used each time the CA establishes an Active Directory connection to publish a CRL to an ldap: location.