Join David M. Franklyn for an in-depth discussion in this video Creating and publishing a CRL, part of Microsoft System Center Configuration Manager Essential Training.
- [Instructor] So in our first demo for this chapter, we're going to go ahead and create a certificate revocation list, or CRL. So we want to be on the main domain controller DC1 and on this system, we have installed the certificate authority, so we want to go to tools and go to the certificate authority console and load that up. And we're going to first, now configure where our certificate revocation list, or CRL, distribution point is going to be. So we're going to right click our certificate authority name and go to properties, and this just shows the properties of the certificate authority.
And what we need to do now is go to the extensions tab. And in the extension tab, you can see there's several locations already added but really, none of them go to a particular computer name. So that's what we're going to do now. So we have to configure this CRL distribution point and we're going to add and now this is very tricky so we need to make sure we do not click okay until it's completely written a statement here. So the location is going to be http colon slash slash, C-R-L dot Dave M-C-T dot com, and then slash C-R-L-D-I-S-T.
For cril distribution. And then put another slash. And now we need to add some variable names that will be brought over with this. So the first one is going to be the certificate authority name. So we just click insert on that and then there's another one. So it's a drop down list, we need to select, as shown here, the CRL name suffix and insert that. And in the drop down list there's one more and that's the delta CRL allowed.
And that just means that as new items are put into the list, if they're put into the list, then the changes to that list will be sent to this location. And we insert. So we should have then in this statement, http colon slash slash crl dash DaveMCT dot com slash CRLdist slash and then we're appending to that the CaName, the CRLNameSuffix, and the DeltaCRLAllowed. So we have one more thing we want to have and that's the file name extension.
So we go to the very end of this list and put a dot CRL. And now we should be able to say okay. And again, it's tricky. You need to be very precise in this. And now we can click okay and we do so. I did one last check of my notes 'cause it is a very long thing, and you should probably write it down before you actually get in here and start adding it. If you've never done this before. And now we're going to actually add a nother location.
And we have now selected the one we've just put in. This location, what we've just put in. And within the check list right here, we want to include in CRLs, client use to find the delta CRL and also include in the CDP, which is the CRL distribution point, extensions of issued certificates. And then include the IDP extension of issued CRLs.
And at this point, we just want to have those, we're going to do another one. So we click add. And this brings add location up again. In this case, we're going to add a location that's going to be a share. So it's going to be backslash backslash, make sure we get this right, dc1 dot DaveMCT dot com backslash c-r-l-d-i-s-t dollar backslash. So this is a share that we're creating, or share that we have on the system that we're going to let the local computers come to.
So the other one was a http location to let anyone using a browser come in and see the CRL distribution point list to make sure that none of the certificates that we are telling them to use have been revoked for any reason. So in this case we also have to append the CaName, as well as the CRLNameSuffix, and insert that. And the DeltaCRLAllowed. Just like we did in the previous location.
Now, we also need to append the dot CRL to this 'cause it is going to be a file. Sometimes, you have to go and check in the box here. Make that happen, sometimes it doesn't. So you want to read it backwards, make sure you have it exactly the way it is. So we have here the crl and then we have the three items. And then we have the actual name of the share. And that looks good now so we can say okay. And in here we got to also specify to publish the CRL.
And we're going to publish the Delta CRLs. And now, we're done creating these CRL lists, now we're going to go to the exit module tab and in the exit module tab, you want to go to the properties, and in the properties we're going to allow certificates to be published in the file system. And say okay. This will cause the certificate authority service to restart. So we want to say okay to that. And then at this point, we say okay to the properties window and now we want to minimize the certificate services.
It may ask you, when you go to close the property windows to restart the certificate services again, just say yes to that. In any case, now we're going to create the CRL share. So we go to file explorer, and in file explorer at the root of the C Drive, we're going to make a new folder. And the name of this folder, is going to be called our CRLdist. C-R-L d-i-s-t, CRL distribution.
And then we're going to share it. So we're going to do that with advanced sharing. So right click that folder and go to properties, and in the sharing tab we're going to click advanced sharing and in advanced sharing we're going to share the folder but we want to add a dollar sign to the end of the name. And what that's going to do is just make it a hidden share. So we're directing through certificate services, access to this share but we don't want people just to browse and find it by going to the domain controller.
Under the permissions, we're going to add some accounts, so we're going to click add to this, and now we need to add computer accounts so click the object types, and now in the object types window, check the box that says computers and then okay. And now in the enter the object name to select, we need to type dc1, which is this very computer, check names, and there it is. It shows up. Say okay to that. And give it full control and then say okay.
And then okay. And now got to the security tab and we're going to add the account again here and give it full control. Click edit, the security tab. We're going to click add, once again, we're doin' a computer count so we click the object types, select the computers object, click okay, and type in dc1, and then okay. And now we want to give it full control again at this level. Then we say okay, and we can now say close.
Now our next step is to create the CRL website. So we can close file explorer and this time in server manager we're going to go to tools, and then we're going to the internet information services manager. So let's bring this up. Expand the window. And now we're going to expand our server name. And then expand sites. And select default website. And at the default website we're going to right click it and say add virtual directory.
And in the add virtual directory dialogue box, in the alias, we're going to type in C-R-L d-i-s-t. In the physical path, we're going to put it on the folder we just created at the root of C. So we can click the browse button, and expand, C drive and then select CRL dist and say okay. And then okay again. So now in the details pane, we're looking for directory browsing.
And double click it. And in directory browsing, we want to enable that. So click the enable hyperlink in the actions pane, and now open up, or click on the CRL dist again under the console tree. And in here we want to go to the configuration editor. And that's also in the details pane. So configuration editor, double click that. And in the configuration editor, we need to change the section we're going to.
So let's go ahead and use the drop down to do that in the section. And the specific section we're looking for is found in the system web server. And don't confuse that with system web. So expand that and then go to security, which is a separate folder and expand that. And finally, we're going to request filtering. So highlight that. And that's going to bring up a number of different parameters that we can make changes to here. And the one we're going to make changes to is to allow double escaping.
So we'll find one that says allow double escaping. It's the top one right here. Right now it's set to false. So we want to set that to true. This will enable anyone to go in and peruse the list and what happens when your browser connects to an https site, it finds the actual CRL distribution point website. It goes to it and checks to make sure that that certificate is being offered has not been put on that list. So we set that to true.
And now in actions, say apply. And now we're going to close the internet information services manager. So now we can create a dns alias to the CRL. Because otherwise, any machine trying to connect to it, won't be able to find it without the appropriate address. So let's go into DNS, we'll expand DNS. We'll go to our forward look up zone. Span that. We'll select our Dave MCT zone and here we're going to right click the zone name and say new alias C name.
And this brings up the new resource record. And in the new resource record, we're going to type in CRL, and notice how this is appended just to DaveMCT.com as a fully qualified name. And now we put in the fully qualified domain name of the target, in this case that's going to be dc1. So we can browse for that. Double click dc1, forward look up zone, davemct. Scroll down and find that actual record for dc1.
Select it, say okay. And it's all filled out properly, say okay again. And now the CRL is being used as an alias to our dc1 computer. So it can be found. The next step we're going to do is create and enable an enrollment agent. And let's go ahead and close DNS. And in tools, in server manager, we're going to go to active directory users and computers. And let's expand that. And in this case we're going to make a new group in the IT container.
And this group is going to be called DaveMCT enrollment agent. So, new group, and we get the new group object. Click on it. And in the group name, it's going to to be, again, DaveMCT Mobile Enrollment Agents with an s. It's a global security group. Say okay to that. And now, let's expand this a little bit so we can see all the names, within the DaveMCT Mobile Enrollment, we're going to add a user to this group.
So we're going to double click it. And go to members and we're going to add as a member to this group, the veteran IT person. So we can just put in vet right here and check names and you see it comes up with the vet ITP at DaveMCT.com, say okay to that. And then okay once more. We need to go to now, the vet IT person account. And there's one final thing we need to do, and that's just put in the email box, in the general page, an email address.
Even if we don't have email turned on for this. That property in the active directory is then used to confirm a user when we make a connection later to Microsoft in tune. So let's go ahead and type in vetITP@DaveMCT.com and then say okay. And now we can close the active directory. Now we're going to do the final step in this demonstration, which is to publish the CRL.
So we're going to go back to the certificate authority console that we minimized before. And we want to expand the DaveMTC dash dc1 dot CA item, and go to revoke certificates. And right now there are none. What we need to do is publish this. So we're going to right click revoke certificates, go to all tasks, and select publish. And in this case, we're going to select it as a new CRL. So we're going to keep the default and say okay.
And now, to test this, let us minimize it. And now go back to file explorer and see if we have any files at all in that directory. So that directory, CRL dist is at the root of C and here it is. And yes, we have three files. We have the two CRL files that we created earlier and a web config, or web dot config file. Configuration file. And that's what we need to see.
So this completes this particular demonstration.
- Planning and deploying a standalone primary site
- Ensuring domain and site server prerequisites
- Planning and expanding a standalone primary site
- Planning and deploying a multiple-site hierarchy
- Planning resource discovery and client deployment
- Managing content and replicating data in Configuration Manager
- Configuring Internet and cloud-based client management
- Advanced monitoring
- Upgrading to Configuration Manager current branch