locked
Do I have to use an FQDN for the CRL server name? RRS feed

  • Question

  • I have several test domains.  They have no network access to each other.  I'm setting up certificate services for them.  I'd like to share a single (standalone) Root CA and a single standalone Policy CA.  I am wondering if I can:

    • set up a CNAME in each domain's DNS with the same name (e.g. crlserver) pointing to a web server in that domain
    • set up a Site on the web server using a host-header configuration to receive requests to the CNAME address.
    • copy the CRL to each server.
    • and thus set a single entry as the CRL server to use the CNAME name to cover all of the domains.

    So, can I use an FQDN for the CRL server name?

    Wednesday, May 8, 2013 6:56 AM

Answers

  • Revocation checking uses HTTP. HTTP is a DNS based protocol

    I would only use FQDNs for the URLs in the AIA and CDP extension

    Brian

    ** ONLY YOU CAN KILL WINS

    • Proposed as answer by Brian Komar [MVP] Wednesday, May 8, 2013 4:19 PM
    • Marked as answer by 朱鸿文 Tuesday, May 14, 2013 7:15 AM
    Wednesday, May 8, 2013 4:19 PM

All replies

  • yes you can. but I would rather not use this method. Rather go for FQDN instead, and especially a public FQDN also. After some time, you will have to be able to access the CRLs from outside of the networks - such as VPN or DirectAccess clients, RD Gateway smart card logon etc and it would not work if CRLs are not available publicly. Why not using another FQDN that does not have anything in common with any of the domains and is publicly resolvable (or may be in the future).

    ondrej.

    Wednesday, May 8, 2013 7:30 AM
  • Thanks for the reply.  The networks are isolated test networks. Some don't have any external connectivity. They're not for testing cert. services, they're for testing things that require certs, e.g. code-signed apps. E.g. several of us have entire infrastructures on our own Hyper-V hosts on internal networks, so public servers are not an option.
    Wednesday, May 8, 2013 3:06 PM
  • Revocation checking uses HTTP. HTTP is a DNS based protocol

    I would only use FQDNs for the URLs in the AIA and CDP extension

    Brian

    ** ONLY YOU CAN KILL WINS

    • Proposed as answer by Brian Komar [MVP] Wednesday, May 8, 2013 4:19 PM
    • Marked as answer by 朱鸿文 Tuesday, May 14, 2013 7:15 AM
    Wednesday, May 8, 2013 4:19 PM
  • Hi,

    As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.

    Best Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

           
    Tuesday, May 14, 2013 7:16 AM