Standalone CA's and CRL

[Gunna]

When setting up a standalone CA on Server 2003 Standard you can select the
LDAP CRL publish location but since it is not an Enterprise CA does it still
publish the CRL into Active directory?

Reason I ask is I created a Root CA standlone on a Server 2003 standard
domain member. Then created a standalone subordinate on Server 2003 standard
domain member and it complained about not being able to check the CRL when I
grabed the cert from the Root. I understood this meant either the CRL isnt
publihsed or not reachable. Any ideas?

 

[Brian Komar \(MVP\)]

You can select the publication point, but:
1) You must manual configure the LDAP path DSConfigDN where you define the
%6 value to the Configuration naming context
2) you must manually publish the CRL to the CDP location (and AIA if
defined) using certutil -dspublish

The standalone subordinate will not be able to get the CRl from the LDAP
path (if you use defaults)
the standalone has no idea about DCs and cannot resolve an LDAP:/// path to
be the nearest DC
So you must manually inject the updated root CRL into the cache by using
certutil -addstore root rootcrl.crl

Brian

"Gunna" <Gunna@discussions.microsoft.com> wrote in message
news:B68CFB03-B42E-476C-A3D9-9FE5A937E3DC@microsoft.com...
> When setting up a standalone CA on Server 2003 Standard you can select the
> LDAP CRL publish location but since it is not an Enterprise CA does it
> still
> publish the CRL into Active directory?
>
> Reason I ask is I created a Root CA standlone on a Server 2003 standard
> domain member. Then created a standalone subordinate on Server 2003
> standard
> domain member and it complained about not being able to check the CRL when
> I
> grabed the cert from the Root. I understood this meant either the CRL
> isnt
> publihsed or not reachable. Any ideas?