locked
Publishing a CRL to a UNC path - unsupported? RRS feed

  • Question

  • I was involved in a Microsoft PKI Healthcheck recently. The Microsoft technician said that although publishing CRL to a UNC path does work, it is not supported by Microsoft, so he recommended against it. He suggested using scheduled scripts to copy the CRL to the share instead.

    The MS technician was VERY competent, so I assume he was right.

    Anyone knows why it is unsupported? Lack of error handling perhaps?


    Tom Aafloen, IT-security Consultant Onevinn AB
    Thursday, December 15, 2011 10:19 AM

Answers

  • UNC paths are supported (an moreover, they are recommended) for file publishing. UNC are not supported for certificate retrieval. One of the best scheme is to publish files to:

    \\dfsnamespace\sharename\<filename_andoptions>.crl

    attach this share to a web server, so the full path is something like this:

    http://webservername.com/sharename/<filename_andoptions>.crl

    > Anyone knows why it is unsupported?

    you should ask Microsoft Support for this. My thought (just thought, this is not an official response) is that UNC URL support was deprecated due to limited use. Since UNC paths are accessible (in very most cases) only within a private network and certificates are usually used in external networks too, it is reasonable to maintain only those protocols that can be routed between internal and external networks.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    • Marked as answer by Tom Aafloen Thursday, December 15, 2011 12:52 PM
    Thursday, December 15, 2011 11:29 AM

All replies

  • UNC paths are supported (an moreover, they are recommended) for file publishing. UNC are not supported for certificate retrieval. One of the best scheme is to publish files to:

    \\dfsnamespace\sharename\<filename_andoptions>.crl

    attach this share to a web server, so the full path is something like this:

    http://webservername.com/sharename/<filename_andoptions>.crl

    > Anyone knows why it is unsupported?

    you should ask Microsoft Support for this. My thought (just thought, this is not an official response) is that UNC URL support was deprecated due to limited use. Since UNC paths are accessible (in very most cases) only within a private network and certificates are usually used in external networks too, it is reasonable to maintain only those protocols that can be routed between internal and external networks.


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    • Marked as answer by Tom Aafloen Thursday, December 15, 2011 12:52 PM
    Thursday, December 15, 2011 11:29 AM
  • That method was used as part of the WSSRA for Windows Server 2003, so I'd be surprised if it is not supported...

    Extract from the build scripts:

    ...

    SET myInternalPKIshare1=\\CustomerXWeb1\WWWPKIpub
    SET myInternalPKIshare2=\\CustomerXWeb2\WWWPKIpub
    ...

    certutil -setreg CA\CRLPublicationURLs "+65:file://%myInternalPKIshare1%\%%3%%8%%9.crl\n"
    certutil -setreg CA\CRLPublicationURLs "+65:file://%myInternalPKIshare2%\%%3%%8%%9.crl\n"

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, December 15, 2011 12:31 PM