Read time: 10 minutes
Defining CRL Distribution Points:
You can define a CA’s CDP URLs by using the certutil command to edit the CRLPublicationURLs registry entry. The command allows you to designate one or more URLs as well as which CRL publication options are enabled for each URL.
For example, consider the following certutil command that defines the CDP extension:
|%1||ServerDNSName||The CA computer’s Domain Name System (DNS) name|
|%2||ServerShortName||The CA computer’s NetBIOS name|
|%3||CA Name||The CA’s logical name|
|%6||ConfigDN||The Lightweight Directory Access Protocol (LDAP) path of the forest’s configuration naming context for the forest|
|%8||CRLNameSuffix||The CRL’s renewal extension|
|%9||DeltaCRLAllowed||Indicates whether delta CRLs are supported by the CA|
|%10||CDPObjectClass||Indicates that the object is a CDP object in AD DS|
CRL Publication options
|Publish CRLs to this location.||Identifies locations to which the CA should automatically publish the physical CRL files.||ServerPublish||1|
|Include in all issued certificates.||Place a URL for the base CRL in all certificates issued by the CA.||AddtoCertCDP||2|
|Include in CRLs. Clients use this to find Delta CRL locations.||Places a URL for delta CRL retrieval in a base CRL. This publication point is stored in the freshest CRL extension of a CRL and is retrieved only during the CRL checking process.||AddtoFreshestCRL||4|
|Include in the CDP extension of CRLs.||Places a URL in the CDP extension of a CRL issued by the CA to allow the relying party certificate chaining engine to download the latest CRL version if the current version has expired.||AddtoCRLCDP||8|
|Publish delta CRLs to this location. Specifies where to publish in AD DS when publishing to LDAP URLs.||If the CA is configured to enable delta CRLs, the delta CRL files are automatically published to this location.||ServerPublish-Delta||64|
|Include in the IDP extension of issued CRLs||Used by non-Windows clients to determine the scope of the CRL. The scope can include end-entity certificates only, CA certificates only, attribute certificate only, or a limited||Issuing-DistributionPoint||128|
|set of reason codes.|
How to add a CDP
The CRL distribution points (CDP) is a X.509 version 3 certificate extension which identifies the location of the Certificate Revocation List (CRL) from which the revocation of the requested certificate can be checked.
The application that processes the certificate can get the location of the CRL from this extension, download the CRL and thereafter validate the revocation status of the requested certificate.