You can add, remove, or modify certificate revocation list (CRL) distribution points in issued certificates by using the following procedure. However, modifying the URL for a CRL distribution point only affects newly issued certificates. Previously issued certificates will continue to reference the original location.

You must be a certification authority (CA) administrator to complete this procedure. For more information, see Implement Role-Based Administration.

To specify CRL distribution points in issued certificates
  1. Open the Certification Authority snap-in.

  2. In the console tree, click the name of the CA.

  3. On the Action menu, click Properties, and then click the Extensions tab. Confirm that Select extension is set to CRL Distribution Point (CDP).

  4. Do one or more of the following. (The list of CRL distribution points is in the Specify locations from which users can obtain a certificate revocation list (CRL) box.)

    To add a new CRL distribution point

    Click Add, type the name of the new CRL distribution point, and then click OK.

    To remove a CRL distribution point from the list

    Click the CRL distribution point, click Remove, and then click OK.

    To indicate that you want to use a URL as a CRL distribution point

    Click the CRL distribution point, select the Include in the CDP extension of issued certificates check box, and then click OK.

    To indicate that you do not want to use a URL as a CRL distribution point

    Click the CRL distribution point, clear the Include in the CDP extension of issued certificates check box, and then click OK.

    To indicate that you want to use a URL as a delta CRL distribution point

    Click the CRL distribution point, select the Publish Delta CRLs to this location check box, and then click OK.

    To indicate that you do not want to use a URL as a delta CRL distribution point

    Click the CRL distribution point, clear the Publish Delta CRLs to this location check box, and then click OK.

    To indicate that you want to publish this location in CRLs to point clients to a delta CRL

    Click the CRL distribution point, select the Include in CRLs. Clients use this to find Delta CRL locations check box, and then click OK.

    To indicate that you do not want to publish this location in CRLs to point clients to a delta CRL

    Click the CRL distribution point, clear the Include in CRLs. Clients use this to find Delta CRL locations check box, and then click OK.

  5. Click Yes to stop and restart Active Directory Certificate Services (AD CS).

CRL URLs can be HTTP, FTP, LDAP, or FILE addresses. You can use the following variables when specifying the address of the CRL.

Variable Value

CAName

The name of the CA

CAObjectClass

The object class identifier for a CA, used when publishing to an LDAP URL

CATruncatedName

The "sanitized" name of the CA, truncated to 32 characters with a hash at the end

CDPObjectClass

The object class identifier for CRL distribution points, used when publishing to an LDAP URL

CertificateName

The renewal extension of the CA

ConfigurationContainer

The location of the Configuration container in Active Directory Domain Services (AD DS)

CRLNameSuffix

Inserts a name suffix at the end of the file name when publishing a CRL to a file or URL location

DeltaCRLAllowed

When a delta CRL is published, this replaces the CRLNameSuffix variable with a separate suffix to distinguish the delta CRL from the CRL

ServerDNSName

The DNS name of the CA server

ServerShortName

The NetBIOS name of the CA server


Table Of Contents