Solved

Windows Enterprise CA configuring CDP and AIA to download the Certs/CRLs automatically from third party

Posted on 2011-03-06
3
1,088 Views
Last Modified: 2012-05-11
Hello

We have a Windows 2008 Enterprise Root CA.
We've been downloading the certs and CRLs manually from our third party partner and importing them.

They now provide the certs and CRLs via LDAP and thus, the Certs and CRL retrieval can be automated and advised us to use Tumbleweed or CAPI to automate the process.

What do I need to do to make the Certs and CRL retrieval from third party work via LDAP?  Can this be done natively in Windows or do I need a special software/server?

Do I just add the CDP, AIA paths in:
certificate authority's extensions tab:
select "CRL Distribution Point (CDP)" > Add > 
Add the third party's LDAP path as LDAP://...

certificate authority's extensions tab:
Select "Authority Information Access (AIA)" > Add >
Add the third party's LDAP path as LDAP://...

For the OCSP,
certificate authority's extensions tab:
Select "Authority Information Access (AIA)" > Add >
Add the third party's OCSP site http://...?
0
Comment
Question by:Lindows
  • 2
3 Comments
 
LVL 62

Expert Comment

by:btan
ID: 35129805
understand that it can be done via capi codes, see this link
http://social.msdn.microsoft.com/Forums/en-US/windowssecurity/thread/0bdea687-7b5a-493b-b46a-87f8df5049a4

also Windows 2008 has built in support for ocsp checking for client applications running on that Windows 2008 server. Net framework provides the ability to validate certificates and certificate chains in more ways than one
see this http://social.msdn.microsoft.com/Forums/en/windowssecurity/thread/f2957b74-2438-41f0-a290-8196474f9ef2

overall, this link summarise all but look specifically at the revocation check and crypto api section.

http://technet.microsoft.com/en-us/library/cc700843.aspx
0
 

Author Comment

by:Lindows
ID: 35144881
This had an excellent info, thanks - http://technet.microsoft.com/en-us/library/cc700843.aspx

It makes more sense however, I'm new when it comes to this so I'm not sure how to go about actually implementing it.

What is tumbleweed and capi?  Do I need a third party software/client for tumbleweed and capi?





0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 35148235
actually tumbleweed is third party solution implementing cryptographic application interface (capi). capi is supported natively in windows and developer used it for crypto and public key infrastructure operations that include certificate domain. can try google 'tumbleweed and capi'
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now