Questions about CDP an AIA distribution points

microsoft.public.windows.server.security

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

Subject	Author	Date
Questions about CDP an AIA distribution points	Ingo Huber	07-11-2006

Posted by Ingo Huber on July 11, 2006, 7:41 am

Please log in for more thread options

Hi

I want to install a PKI test environment. I take the recommendation written
in the dokument "Best Practices for Implementing a Microsoft Windows Server
2003 Public Key Infrastructure".

http://technet2.microsoft.com/WindowsServer/en/Library/091cda67-79ec-481d-8a96-03e0be7374ed1033.mspx?mf r=true

Now I have some questions about CDP an AIA distribution points.

For the offline Root CA I design the distribution points in printed order

1. %WINDIR%\system32\CertSrv\CertEnroll
2. http
3. LDAP

I want to assign the parameters with the following script

certutil -setreg CA\CRLPublicationURLs
"1:%WINDIR%\system32\CertSrv\CertEnroll\%%3%%8%%9.crl\n8:http://pki.ww-intern.de/certdata/%%3%%8%%9.crl
\n10:LDAP:///CN=%%7%%8,CN=%%2,CN=CDP,CN=Public Key
Services,CN=Services,%%6%%10"

certutil -setreg CA\CACertPublicationURLs
"1:%WINDIR%\system32\CertSrv\CertEnroll\%%1_%%3%%4.crt\n2:http://pki.ww-intern.de/certdata/%%1_%%3%%4.c
rt\n2:LDAP:///CN=%%7,CN=AIA,CN=Public Key Services,CN=Services,%%6%%11"

Now I have some questions to the parameters befor the protocol value.

In AIA I get the parameter value 1 at file or LDAP when I take it out of the
table for AIA properties
Include in the AIA extension of issued certificates = 1, recommendation set
Include in the online certificate status protocol (OCSP) extension = 2,
recommendation clear

I the Best practice document is the scipt displayed with parameter 2 for
both values. Is this an Error in the document or do I make a mistake in
calculating the parameter values. The same probles are in CDP extensions and
in AIA and CDP for the policy and Issiung CAs.

Can someone define the correct procedure ?

For the Issuing CA at first place in distribution points I want to set the
HTTP path (like displayed in document). If there is an XP client with
membership in the AD domain is the order of CDP or AIA extentions like
displayed or is for the XP Domain member the first distribution points the
LDAP path independed from the definition on CA.

Thank you for help

Ingo

Similar Threads	Posted
Junction Points and ACLs	September 20, 2005, 9:02 am
Can I export Distribution Lists?	February 13, 2006, 8:15 pm
The Kerberos Key Distribution Center service hung on starting. ID 7022.	December 13, 2007, 10:49 am
Wired 802.1x Questions	May 1, 2006, 3:30 pm
antivirus software questions	September 19, 2006, 2:25 pm
Active Directory Questions.	November 24, 2006, 12:09 am
Questions about using IPsec across domains	February 25, 2008, 5:47 pm
Security Questions and Answers for CLM	April 29, 2008, 3:31 am
Several questions on code signing / smartcards / Win CA	August 25, 2005, 4:24 am
User Account and Rights questions	January 28, 2006, 10:03 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML Sitemap

XML Sitemap