Certificate Lifecycle Management Reading Time: 5 minutes

A 360-Degree Overview of CRL Distribution Point

This is a location in the form of URLs where the issuing CA’s base certificate revocation list (CRL) is published. If revocation checking is enabled, an application will use the URL to retrieve an updated version of the CRL. URLs can use Hypertext Transfer Protocol (HTTP), LDAP, or File.

Importance

With the help of CDP, an application or a site-visitor can retrieve the Certificate Revocation List (CRL) thereby determining whether the digital certificate is trustworthy or not. This can protect them from visiting or accessing fraudulent sites and from man-in-the-middle attacks. In the absence of CRL, they might be vulnerable to data-theft, malware, fraud, financial loss etc.

Defining CRL Distribution Points:

You can define a CA’s CDP URLs by using the certutil command to edit the CRLPublicationURLs registry entry. The command allows you to designate one or more URLs as well as which CRL publication options are enabled for each URL.

For example, consider the following certutil command that defines the CDP extension:

certutil -setreg CACRLPublicationURLs “1:C:Windowssystem32CertSrvCertEnroll%3%8%9.crln10:ldap:///CN=%7%8,CN=%2, CN=CDP,CN=Public Key Services,CN=Services, %6%10n2:http://pki.EncryptionConsulting.com/CertEnroll/%3%8%9.crl”

This command defines three separate URLs. The URL order is important when implementing
Windows clients because it specifies the order in which the certificate chaining engine searches URLs when retrieving an updated CRL version. Likewise, the number that precedes each URL represents the enabled options for each URL.

1:C:Windowssystem32CertSrvCertEnroll%3%8%9.crl : This URL ensures that
the CRL file is copied to the local file system every time the CRL is automatically or manually published.

10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10 : This URL enables two values: 2 to designate the CRL’s publication point in AD DS and 8 to include the CDP URL in all CA-issued certificates.

2:http://pki.EncryptionConsulting.com/CertEnroll/%3%8%9.crl : This URL ensures that
the URL pki.EncryptionConsulting.com/CertEnroll/%3%8%9.crl is included in the CDP extension of all issued certificates.

CDP variables

Variable Name Description
%1 ServerDNSName The CA computer’s Domain Name System (DNS) name
%2 ServerShortName The CA computer’s NetBIOS name
%3 CA Name The CA’s logical name
%6 ConfigDN The Lightweight Directory Access Protocol (LDAP) path of the forest’s configuration naming context for the forest
%8 CRLNameSuffix The CRL’s renewal extension
%9 DeltaCRLAllowed Indicates whether delta CRLs are supported by the CA
%10 CDPObjectClass Indicates that the object is a CDP object in AD DS

CRL Publication options

Variable Name Description
%1 ServerDNSName The CA computer’s Domain Name System (DNS) name
%2 ServerShortName The CA computer’s NetBIOS name
%3 CA Name The CA’s logical name
%6 ConfigDN The Lightweight Directory Access Protocol (LDAP) path of the forest’s configuration naming context for the forest
%8 CRLNameSuffix The CRL’s renewal extension
%9 DeltaCRLAllowed Indicates whether delta CRLs are supported by the CA
%10 CDPObjectClass Indicates that the object is a CDP object in AD DS

How to add a CDP

Command:

Add-CRLDistributionPoint [-InputObject] <CRLDistributionPoint[]> [-URI] <String[]> [<CommonParameters>]

Parameters:

-InputObject <CRLDistributionPoint[]>  -> Specifies the CRLDistributionPoint object to which new CRL distribution points are added

[-URI] <String[]>  -> This specifies new CRL file publishing distribution points for a particular CA.

<CommonParameters> : The cmdlet supports common parameters like: Debug (db), ErrorAction (ea), ErrorVariable (ev), InformationAction (infa), InformationVariable (iv), OutVariable (ov), OutBuffer (ob), PipelineVariable (pv), Verbose (vb), WarningAction (wa), WarningVariable (wv)

Conclusion:

The CRL distribution points (CDP) is a X.509 version 3 certificate extension which identifies the location of the Certificate Revocation List (CRL) from which the revocation of the requested certificate can be checked.

The application that processes the certificate can get the location of the CRL from this extension, download the CRL and thereafter validate the revocation status of the requested certificate.

Free Downloads

Datasheet of Certificate Management Solution

Download our datasheet and discover the power of seamless certificate management with our CertSecure Manager

Download

About the Author

Yogesh Giri's profile picture

Yogesh Giri is a consultant at Encryption Consulting with extensive expertise in Public Key Infrastructure (PKI) and Hardware Security Modules (HSM). He possesses strong knowledge in frontend technologies, including React.js, and is proficient in backend development with PHP and WordPress. He has worked on the website to enhance the user experience and introduced features, demonstrating his ability to deliver robust and innovative solutions across various platforms.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo