Certificate Revocation Checking in Test Labs

by [Published on 3 Aug. 2010 / Last Updated on 3 Aug. 2010]

The steps towards a few procedures you can use to simplify CRL checking in your lab environment.

Introduction

I remember the struggles we went through to create test labs many years ago. In the 1990s, computers were not nearly as inexpensive as they are today, and it took a lot of money to put together even a few computers for a test lab. Sometimes we found that we had to do our testing in our production environment, simply because we couldn’t afford the hardware for a proper test environment. As you can imagine, this caused some weeping and wailing and gnashing of teeth on occasion. But there weren’t so many choices because disk imaging software either wasn’t available or wasn’t very reliable, and there was no viable server virtualization solution. We did the best we could with what we had.

The world has changed a lot in the last 15 years – and at least in some ways, for the better. One of the most significant changes are related to desktop and server virtualization. Using tools such as VMware or Microsoft Hyper-V, we can now purchase a moderately powerful server with a Nehalem based processor and 16GB+ of RAM and run very sophisticated tests that can accurately simulate our physical deployments.

However, there are still some things that can be problematic when you are working with test labs, and PKI is always at the top of that list. The Public Key Infrastructure is an important consideration in any test lab because certificates are used in so many scenarios when testing Microsoft products and technologies. And one of the trickiest parts of PKI is availability of the certificate revocation list (CRL). That’s because some solutions require a successful CRL check and some don’t. The problem is that Microsoft documentation does not always make it clear which is the case for a particular scenario, so you end up having to guess whether it is required or not (or worse, going through the entire configuration process and finding that it doesn’t work).

One approach is to disable CRL check failures by removing any references to a CRL distribution point in the certificates delivered to clients. When you do this, the CRL checks won’t fail because there isn’t anywhere to check. Of course, this decreases security so you wouldn’t generally want to do it in a production environment, but in a testbed where trust is not an issue, there are several ways you can do this.

If you don’t want to disable CRL checking in your environment, you can create your own certificate distribution points that can be used in the test lab and then you can configure the certificate server to include these CRL DPs in the certificates they issue.

First, we’ll describe two methods for disabling CRL checking.

Disabling CRL Checking

In the first method, we configure the Certificate Authority to not include the location information for the CRL distribution point in the certificates it issues. To do this, go to the Administrative Tools menu and click Certification Authority.


Figure 1

In the Certificate Authority console, right click the name of the server in the left pane and then click Properties.


Figure 2

In the Properties dialog box for the certificate server, click the Extensions tab. Notice in the Select extension drop down box that it says CRL Distribution Point (CDP). Under that you will see four locations. Notice that the first location is selected. Make sure that none of the checkboxes are selected in the lower part of the dialog box. There should NOT be a checkmark in the Publish CRLs to this location and Publish Delta CRLs to this location.


Figure 3

Click the second entry on the list, as seen in the figure below. Make sure there are NO checkmarks in the following checkboxes: Publish CRLs to this location, Include in the CDP extension of issued certificates and Publish Delta CRLs to this location.


Figure 4

Click the third entry on the list. Make sure there are NO checkmarks in the following locations: Include in CRL. Clients use this to find Delta CRL locations, Include in the CDP extension of issued certificates and Include in the IDP extension of issued CRLs.


Figure 5

Click the fourth location. Make sure there are no checkmarks in any of the checkboxes, as seen in the figure below.


Figure 6

Click OK after making the changes. You might be asked to restart Certificate Services – if so, go ahead an do that.

The above procedure allows you to configure it so that all certificates delivered by the CA will exclude this information. But maybe you want to do this only for a specific certificate template and not for all the certificates issued by the CA. In this scenario, you can create or configure a certificate template to exclude the CRL DP information on the certificates issued using that particular template.

To see how this works, click Start and then in the Search box typeMMC and press ENTER.


Figure 7

In the new MMC, click the File menu and select Add/Remove Snap-in… Add the Certificate Templates snap-in as seen in the figure below.


Figure 8

In the Certificate Templates console, click on the Certificate Templates node in the left pane.In the right pane of the console, right click on a certificate template and click Properties.


Figure 9

In the Properties dialog box of the certificate template, click on the Server tab. On the Server tab you’ll see an option for Do not include revocation information in issued certificates (Applicable only for Windows Server 2008 R2 and above). When you select this option, certificates issued using this template will not include certificate revocation information and certificate revocation checks against these certificates will not fail.


Figure 10

Creating a CRL Distribution Point for Your Test Lab

If you don’t want to disable CRL checking in your environment, you can create your own certificate distribution points that can be used in the test lab and then you can configure the certificate server to include these CRL DPs in the certificates they issue. The first step is to configure the CA to point to the CRL Distribution Point that you’re going to create. The second general step is to create the CRL DP and publish the CRL to the CRL DP location

Let’s begin by configuring the CRL Distribution Point settings on the Certification Authority. Because the steps are very detailed and precise for configuring the CA and the CRL Distribution Point itself, we’ll move to a step by step approach here so that we can be sure we don’t miss any steps.

  1. On the computer hosting the Certification Authority, click Start, point to Administrative Tools, and then click Certification Authority.
  2. In the left pane of the console, right click on server name and click Properties.
  3. In the Properties dialog box, click the Extensions tab.
  4. On the Extensions tab, click Add. In theLocationfield, type the URL that clients can use to connect to the CRL Distribution Point using an HTTP connection. In this example, we’ll usehttp://crl.corp.contoso.com/crld/. Make sure you have a DNS entry that maps this FQDN to the server that hosts the CRL Distribution Point. We’ll create the path and bind this to the web site later in this article.
  5. In theVariable field, click <CAName>, and then click Insert.
  6. In theVariable field, click <CRLNameSuffix>, and then click Insert.
  7. In theVariable field, click <DeltaCRLAllowed>, and then click Insert.
  8. In theLocation field, type .crl at the end of the Location string, and then click OK.


Figure 11

  1. Select Include in CRLs. Clients use this to find Delta CRL locations and Include in the CDP extension of issued certificates, and then click Apply. Click No in the dialog box that asks you to restart Active Directory Certificate Services.
  2. Click Add.
  3. In theLocation field, type the UNC path to the file share that will host the CRL Distribution Point. In this example we’ll use \\app1\crldist$\, where app1 is the name of the server that will host the CRL Distribution Point and the path of the share hosting the CRL DP is \crldist$. We will configure these locations in the next general step.
  4. In Variable, click <CAName>, and then click Insert.
  5. In Variable, click <CRLNameSuffix>, and then click Insert.
  6. In Variable, click <DeltaCRLAllowed>, and then click Insert.
  7. In Location, type .crl at the end of the string, and then click OK.


Figure 12

  1. Select Publish CRLs to this location and Publish Delta CRLs to this location, and then click OK.


Figure 13

  1. Now clickYes to restart Active Directory Certificate Services.
  2. Close the Certification Authority console.

Now let’s create a Web-based CRL Distribution Point on the machine where you want to host the CRL. We will create a web-based CRL Distribution Point so that clients can access the CRL over an HTTP connection.

  1. On the machine where you want to host the CRL, click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.
  2. In the left pane of the console, navigate to <computer_name>\Sites\Default Web Site. Right click Default Web Site and click Add Virtual Directory.


Figure 14

  1. In the Add virtual Directory dialog box, in the Alias text box, enter CRLD (this can be any name you like, we use CRLD in this example). Next to the Physical path text box, click the ellipsis “…” button.


Figure 15

  1. In the Browse for Folder dialog box, click Local Disk (C:) entry and then click Make New Folder.
  2. Enter CRLDist to name the fold and press ENTER. Click OK in the Browse for Folder dialog box.


Figure 16

  1. Click OK in the Add Virtual Directory dialog box.


Figure 17

  1. In the middle pane of the console, double click Directory Browsing.
  2. In the right pane of the console, click Enable.


Figure 18

  1. In the left pane of the console, click the CRLD folder.
  2. In the middle pane of the console, double click the Configuration Editor icon
  3. Click the down-arrow for the Section drop-down list, navigate to system.webServer\security\requestFiltering.
  4. In the middle pane of the console, double click the allowDoubleEscaping entry to change the value from False to True.


Figure 19

  1. In the right pane of the console, click Apply.


Figure 20

  1. Close the Internet Information Services (IIS) Manager console.

Next, we need to configure permissions on the CRL Distribution Point File Share.  Here we will configure file share permissions on the CRL Distribution Point folder we just created.

  1. On the computer hosting the CRL DP, click Start and then click Computer.
  2. Double click Local Disk (C:).
  3. In the right pane of Windows Explorer, right click CRLDist folder and click Properties.
  4. In the CRLDist Properties dialog box, click the Sharing tab. On the Sharing tab, click the Advanced Sharing button.
  5. In the Advanced Sharing dialog box, put a checkmark in the Share this folder checkbox.
  6. In the Share name text box, add a $ to the end of the share name, so that the share name reads CRLDist$
  7. In the Advanced Sharing dialog box, click the Permissions button.
  8. In the Permissions for CRLDist$ dialog box, click Add.


Figure 21

  1. In the Select Users, Computers, Service Accounts, or Groups dialog box, click the Object Types button.
  2. In the Object Types dialog box, put a checkmark in the Computers checkbox and then click OK.
  3. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select text box, enter the name of the computer that hosts the Certification Authority and then click Check Names. Click OK.
  4. In the Permissions for CRLDist$ dialog box, select the name of the computer that is hosting Certificate Servicesfrom the Group or user names list. In the Permissions section, put a checkmark in the Allow checkbox for Full Control. Click OK.


Figure 22

  1. In the Advanced Sharing dialog box, click OK.
  2. In the CRLDist Properties dialog box, click the Security tab.
  3. On the Security tab, click Edit.
  4. In the Permissions for CRLDist dialog box, click the Add button.
  5. In the Select Users, Computers, Service Accounts, or Groups dialog box, click the Object Types button.
  6. In the Object Types dialog box, put a checkmark in the Computers checkbox. Click OK.
  7. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select text box, enter the name of the computer that hosts the Certification Authority and click Check Names. Click OK.
  8. In the Permissions for CRLDist dialog box, select the computer name that is hosting Certificate Servicesfrom the Group or user names list. In the Permissions section, put a checkmark in the Allow checkbox next to Full control. Click OK.


Figure 23

  1. Click Close in the CRLDist Properties dialog box.
  2. Close the Windows Explorer window.

Now you need to publish the CRL information to the distribution point you created. This requires you to go to the certificate authority and manually publish the CRL.

  1. At the computer hosting your Certificate Authority, click Start and point to Administrative Tools. Click Certification Authority.
  2. In the left pane of the console, double click the server name and then right click Revoked Certificates, point to All Tasks, and then click Publish.
  3. In the Publish CRL dialog box, select the New CRL option and click OK.
  4. Click Start and then in the Search programs and files text box, enter \\<computer_name>\CRLDist$ and press ENTER. In this case, the <computer_name> is the name of the computer you configured to host the CRL.
  5. In the Windows Explorer window, you should see two files in the CRL DP file share.


Figure 24

  1. Close the Windows Explorer window.
  2. Close the Certification Authority console.

Summary

In this article, we outlined the steps for a few procedures you can use to simplify CRL checking in your lab environment. We began with a couple of methods that will essentially disable CRL check failures for your test lab. Then we went through a more detailed procedure where you actually put up a CRL Distribution Point so that certificate checks will not fail, since the CRL will actually be available. I should note that these CRL checks will work for intranet clients in your test lab. If you have clients that will be outside your intranet, you’ll have to figure out a way to publish the internal CRL to those external test lab users. This can get a little complex, so I can’t really cover the infinite number of scenarios here. Send me a note if there’s a particular scenario you’re interested in and I’ll do an article on how to make publishing the CRL work for your scenario. Thanks! –Deb.

Featured Links