Overview of CRL Distribution Point

    20 Nov 2021

    Overview of CRL Distribution Point

    Read time: 10 minutes

    This is a location in the form of URLs where the issuing CA’s base certificate revocation list (CRL) is published. If revocation checking is enabled, an application will use the URL to retrieve an updated version of the CRL. URLs can use Hypertext Transfer Protocol (HTTP), LDAP, or File.

    Importance

    With the help of CDP, an application or a site-visitor can retrieve the Certificate Revocation List (CRL) thereby determining whether the digital certificate is trustworthy or not. This can protect them from visiting or accessing fraudulent sites and from man-in-the-middle attacks. In the absence of CRL, they might be vulnerable to data-theft, malware, fraud, financial loss etc.

    Defining CRL Distribution Points:

    You can define a CA’s CDP URLs by using the certutil command to edit the CRLPublicationURLs registry entry. The command allows you to designate one or more URLs as well as which CRL publication options are enabled for each URL.

    For example, consider the following certutil command that defines the CDP extension:

    certutil -setreg CA\CRLPublicationURLs “1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n10:ldap:///CN=%7%8,CN=%2, CN=CDP,CN=Public Key Services,CN=Services, %6%10\n2:http://pki.EncryptionConsulting.com/CertEnroll/%3%8%9.crl”

    This command defines three separate URLs. The URL order is important when implementing Windows clients because it specifies the order in which the certificate chaining engine searches URLs when retrieving an updated CRL version. Likewise, the number that precedes each URL represents the enabled options for each URL.

    1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl : This URL ensures that
    the CRL file is copied to the local file system every time the CRL is automatically or manually published.

    10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10 : This URL enables two values: 2 to designate the CRL’s publication point in AD DS and 8 to include the CDP URL in all CA-issued certificates.

    2:http://pki.EncryptionConsulting.com/CertEnroll/%3%8%9.crl : This URL ensures that
    the URL pki.EncryptionConsulting.com/CertEnroll/%3%8%9.crl is included in the CDP extension of all issued certificates.

    CDP variables

    Variable Name Description
    %1 ServerDNSName The CA computer’s Domain Name System (DNS) name
    %2 ServerShortName The CA computer’s NetBIOS name
    %3 CA Name The CA’s logical name
    %6 ConfigDN The Lightweight Directory Access Protocol (LDAP) path of the forest’s configuration naming context for the forest
    %8 CRLNameSuffix The CRL’s renewal extension
    %9 DeltaCRLAllowed Indicates whether delta CRLs are supported by the CA
    %10 CDPObjectClass Indicates that the object is a CDP object in AD DS

    CRL Publication options

    Name Description Label Value
    Publish CRLs to this location. Identifies locations to which the CA should automatically publish the physical CRL files. ServerPublish 1
    Include in all issued certificates. Place a URL for the base CRL in all certificates issued by the CA. AddtoCertCDP 2
    Include in CRLs. Clients use this to find Delta CRL locations. Places a URL for delta CRL retrieval in a base CRL. This publication point is stored in the freshest CRL extension of a CRL and is retrieved only during the CRL checking process. AddtoFreshestCRL 4
    Include in the CDP extension of CRLs. Places a URL in the CDP extension of a CRL issued by the CA to allow the relying party certificate chaining engine to download the latest CRL version if the current version has expired. AddtoCRLCDP 8
    Publish delta CRLs to this location. Specifies where to publish in AD DS when publishing to LDAP URLs. If the CA is configured to enable delta CRLs, the delta CRL files are automatically published to this location. ServerPublish-Delta 64
    Include in the IDP extension of issued CRLs Used by non-Windows clients to determine the scope of the CRL. The scope can include end-entity certificates only, CA certificates only, attribute certificate only, or a limited Issuing-DistributionPoint 128
    set of reason codes.

    How to add a CDP

    Command:

    Add-CRLDistributionPoint [-InputObject] <CRLDistributionPoint[]> [-URI] <String[]> [<CommonParameters>]

    Parameters:

    -InputObject <CRLDistributionPoint[]>  -> Specifies the CRLDistributionPoint object to which new CRL distribution points are added

    [-URI] <String[]>  -> This specifies new CRL file publishing distribution points for a particular CA.

    <CommonParameters> : The cmdlet supports common parameters like: Debug (db), ErrorAction (ea), ErrorVariable (ev), InformationAction (infa), InformationVariable (iv), OutVariable (ov), OutBuffer (ob), PipelineVariable (pv), Verbose (vb), WarningAction (wa), WarningVariable (wv)

    Conclusion:

    The CRL distribution points (CDP) is a X.509 version 3 certificate extension which identifies the location of the Certificate Revocation List (CRL) from which the revocation of the requested certificate can be checked.

    The application that processes the certificate can get the location of the CRL from this extension, download the CRL and thereafter validate the revocation status of the requested certificate.

    Want to learn from PKI Experts

    We train some of the biggest names in the industry through virtual & Live Classes

    Get a Free Quote for your PKI services

    Free Downloads for PKI services