A 360-Degree Overview of CRL Distribution Point

Read time: 10 minutes

This is a location in the form of URLs where the issuing CA’s base certificate revocation list (CRL) is published. If revocation checking is enabled, an application will use the URL to retrieve an updated version of the CRL. URLs can use Hypertext Transfer Protocol (HTTP), LDAP, or File.

Importance

With the help of CDP, an application or a site-visitor can retrieve the Certificate Revocation List (CRL) thereby determining whether the digital certificate is trustworthy or not. This can protect them from visiting or accessing fraudulent sites and from man-in-the-middle attacks. In the absence of CRL, they might be vulnerable to data-theft, malware, fraud, financial loss etc.

Defining CRL Distribution Points:

You can define a CA’s CDP URLs by using the certutil command to edit the CRLPublicationURLs registry entry. The command allows you to designate one or more URLs as well as which CRL publication options are enabled for each URL.

For example, consider the following certutil command that defines the CDP extension:

certutil -setreg CACRLPublicationURLs “1:C:Windowssystem32CertSrvCertEnroll%3%8%9.crln10:ldap:///CN=%7%8,CN=%2, CN=CDP,CN=Public Key Services,CN=Services, %6%10n2:http://pki.EncryptionConsulting.com/CertEnroll/%3%8%9.crl”

This command defines three separate URLs. The URL order is important when implementing
Windows clients because it specifies the order in which the certificate chaining engine searches URLs when retrieving an updated CRL version. Likewise, the number that precedes each URL represents the enabled options for each URL.

1:C:Windowssystem32CertSrvCertEnroll%3%8%9.crl : This URL ensures that
the CRL file is copied to the local file system every time the CRL is automatically or manually published.

10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10 : This URL enables two values: 2 to designate the CRL’s publication point in AD DS and 8 to include the CDP URL in all CA-issued certificates.

2:http://pki.EncryptionConsulting.com/CertEnroll/%3%8%9.crl : This URL ensures that
the URL pki.EncryptionConsulting.com/CertEnroll/%3%8%9.crl is included in the CDP extension of all issued certificates.

CDP variables

Variable	Name	Description
%1	ServerDNSName	The CA computer’s Domain Name System (DNS) name
%2	ServerShortName	The CA computer’s NetBIOS name
%3	CA Name	The CA’s logical name
%6	ConfigDN	The Lightweight Directory Access Protocol (LDAP) path of the forest’s configuration naming context for the forest
%8	CRLNameSuffix	The CRL’s renewal extension
%9	DeltaCRLAllowed	Indicates whether delta CRLs are supported by the CA
%10	CDPObjectClass	Indicates that the object is a CDP object in AD DS

CRL Publication options

Variable	Name	Description
%1	ServerDNSName	The CA computer’s Domain Name System (DNS) name
%2	ServerShortName	The CA computer’s NetBIOS name
%3	CA Name	The CA’s logical name
%6	ConfigDN	The Lightweight Directory Access Protocol (LDAP) path of the forest’s configuration naming context for the forest
%8	CRLNameSuffix	The CRL’s renewal extension
%9	DeltaCRLAllowed	Indicates whether delta CRLs are supported by the CA
%10	CDPObjectClass	Indicates that the object is a CDP object in AD DS

How to add a CDP

Command:

Add-CRLDistributionPoint [-InputObject] <CRLDistributionPoint[]> [-URI] <String[]> [<CommonParameters>]

Parameters:

-InputObject <CRLDistributionPoint[]>  -> Specifies the CRLDistributionPoint object to which new CRL distribution points are added

[-URI] <String[]>  -> This specifies new CRL file publishing distribution points for a particular CA.

<CommonParameters> : The cmdlet supports common parameters like: Debug (db), ErrorAction (ea), ErrorVariable (ev), InformationAction (infa), InformationVariable (iv), OutVariable (ov), OutBuffer (ob), PipelineVariable (pv), Verbose (vb), WarningAction (wa), WarningVariable (wv)

Conclusion:

The CRL distribution points (CDP) is a X.509 version 3 certificate extension which identifies the location of the Certificate Revocation List (CRL) from which the revocation of the requested certificate can be checked.

The application that processes the certificate can get the location of the CRL from this extension, download the CRL and thereafter validate the revocation status of the requested certificate.