Solved

Windows Enterprise CA configuring CDP and AIA to download the Certs/CRLs automatically from third party

Posted on 2011-03-06
3
1,072 Views
Last Modified: 2012-05-11
Hello

We have a Windows 2008 Enterprise Root CA.
We've been downloading the certs and CRLs manually from our third party partner and importing them.

They now provide the certs and CRLs via LDAP and thus, the Certs and CRL retrieval can be automated and advised us to use Tumbleweed or CAPI to automate the process.

What do I need to do to make the Certs and CRL retrieval from third party work via LDAP?  Can this be done natively in Windows or do I need a special software/server?

Do I just add the CDP, AIA paths in:
certificate authority's extensions tab:
select "CRL Distribution Point (CDP)" > Add >
Add the third party's LDAP path as LDAP://...

certificate authority's extensions tab:
Select "Authority Information Access (AIA)" > Add >
Add the third party's LDAP path as LDAP://...

For the OCSP,
certificate authority's extensions tab:
Select "Authority Information Access (AIA)" > Add >
Add the third party's OCSP site http://...?
0
Comment
Question by:Lindows
  • 2
3 Comments
 
LVL 61

Expert Comment

by:btan
ID: 35129805
understand that it can be done via capi codes, see this link
http://social.msdn.microsoft.com/Forums/en-US/windowssecurity/thread/0bdea687-7b5a-493b-b46a-87f8df5049a4

also Windows 2008 has built in support for ocsp checking for client applications running on that Windows 2008 server. Net framework provides the ability to validate certificates and certificate chains in more ways than one
see this http://social.msdn.microsoft.com/Forums/en/windowssecurity/thread/f2957b74-2438-41f0-a290-8196474f9ef2

overall, this link summarise all but look specifically at the revocation check and crypto api section.

http://technet.microsoft.com/en-us/library/cc700843.aspx
0
 

Author Comment

by:Lindows
ID: 35144881
This had an excellent info, thanks - http://technet.microsoft.com/en-us/library/cc700843.aspx

It makes more sense however, I'm new when it comes to this so I'm not sure how to go about actually implementing it.

What is tumbleweed and capi?  Do I need a third party software/client for tumbleweed and capi?





0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 35148235
actually tumbleweed is third party solution implementing cryptographic application interface (capi). capi is supported natively in windows and developer used it for crypto and public key infrastructure operations that include certificate domain. can try google 'tumbleweed and capi'
0

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now