none
Should CA publishing CRL be a DNS exception for DA? RRS feed

  • Question

  • If the DA namespace is mycompany.com and the CA publishing the CRL is ca1.mycompany.com, should that be a DNS exception (clients must always go to it by IPv4?)

    Monday, December 5, 2011 3:00 PM

Answers

  • Correct, if you are using your own CA to publish your IP-HTTPS certificate then yes the CRL needs to be externally available, which means that you must exclude it from the NRPT. However, I highly recommend purchasing a public SSL certificate for IP-HTTPS - there have been way too many problems and forum posts from people who try to publish it themselves for me to ever recommend it this way.
    • Marked as answer by RossJG Friday, December 9, 2011 4:58 PM
    Tuesday, December 6, 2011 7:18 PM

All replies

  • If the CA is signing your IPHTTPS cert, then yes, otherwise, my understanding is no. 
    Monday, December 5, 2011 6:22 PM
  • Correct, if you are using your own CA to publish your IP-HTTPS certificate then yes the CRL needs to be externally available, which means that you must exclude it from the NRPT. However, I highly recommend purchasing a public SSL certificate for IP-HTTPS - there have been way too many problems and forum posts from people who try to publish it themselves for me to ever recommend it this way.
    • Marked as answer by RossJG Friday, December 9, 2011 4:58 PM
    Tuesday, December 6, 2011 7:18 PM
  • Good to know, thanks Jordan!
    Friday, December 9, 2011 4:58 PM