vendredi 27 avril 2012 19:32
When using LDAP reference in the CDP for an Enterprise CA does this mean all DCs in a domain will have CRL information where a client machine can retireve? Given this is true then do all DCs need to be Windows Enterprise edition? I also intend to use http entry.
My plans are to utilize LDAP as primary and HTTP as secondary CRL lookups.
What would an LDAP CRL be for example domain is test.me.com?
Last question is does all DC's need to be Enterpise edition if using Enterprise CA with templates?
Toutes les réponses
vendredi 27 avril 2012 20:35
Best practice is to use HTTP first, not LDAP. In fact, the latest white paper on revocation checking recommends only using one HTTP URL for both AIA and CDP and OCSP and making sure that it is hosted on a highly available web cluster. (http://technet.microsoft.com/en-us/library/ee619730(WS.10).aspx)
The DCs do not have to be Windows Enterprise. All DCs by their very definition will have a copy of the Configuration naming context where the AIA and CDP containers exist.
assuming that the domain test.me.com is the forest root domain (where the configuration naming context is), then you would use the default syntax for LDAP URLs. This would be ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10
%6 would be translated to your configuration DN which would be CN=Configuration,DC=test,Dc=me,DC=com
P.S. I wrote the white paper.
mardi 8 mai 2012 20:33
That does help.
To clairfy my thought process, the CDP be hosted on a Standard version of 2k8 using the certificate Authority Web Enrollment on a AD server member. Where the Enterprise version of windows issues Enterprise CA certs using templates. I have 2k8 enterprise in one site and standard 2k8 on other sites where it is the ideal CDP location. We just don't have the resouces to host OCSP at the ideal site at this time.