You need to ensure that the certificate revocation list (CRL) is available to all of the users

Your company has an office in New York.
Many users connect to the office from home by using the Internet.
You deploy an Active Directory Certificate Services (AD CS) infrastructure that contains an enterprise
certification authority (CA) named CA1. CA1 is only available from hosts on the internal network.
You need to ensure that the certificate revocation list (CRL) is available to all of the users.
What should you do? (Each correct answer presents part of the solution. Choose all that apply.)

Your company has an office in New York.
Many users connect to the office from home by using the Internet.
You deploy an Active Directory Certificate Services (AD CS) infrastructure that contains an enterprise
certification authority (CA) named CA1. CA1 is only available from hosts on the internal network.
You need to ensure that the certificate revocation list (CRL) is available to all of the users.
What should you do? (Each correct answer presents part of the solution. Choose all that apply.)

A.
Create a scheduled task that copies the CRL files to a Web server.

B.
Run the Install-ADCSWebEnrollment cmdlet.

C.
Run the Install-EnrollmentPolicyWebService cmdlet.

D.
Deploy a Web server that is accessible from the Internet and the internal network.

E.
Modify the location of the Authority Information Access (AIA).

F.
Modify the location of the CRL distribution point (CDP).

Explanation:

CRLs will be located on Web servers which are Internet facing.
CRLs will be accessed using the HTTP retrieval protocol.
CRLs will be accessed using an external URL of http://dp1.pki.contoso.com/pki
F: To successfully authenticate an Internet Protocol over Secure Hypertext Transfer Protocol (IPHTTPS)-based connection, DirectAccess clients must be able to check for certificate revocation of the
secure sockets layer (SSL) certificate submitted by the DirectAccess server. To successfully perform
intranet detection, DirectAccess clients must be able to check for certificate revocation of the SSL
certificate submitted by the network location server. This procedure describes how to do the
following:
Create a Web-based certificate revocation list (CRL) distribution point using Internet Information
Services (IIS)
Configure permissions on the CRL distribution shared folder
Publish the CRL in the CRL distribution shared folder
Configure a CRL Distribution Point for Certificates

← Previous question

Next question →

Leave a Reply 9

movieman

I believe A is valid here as well. You would need it if you are doing a manual publish vs Automatic publish. http://blogs.technet.com/b/configmgrteam/archive/2009/05/01/how-to-publish-the-crl-on-a-separate-web-server.aspx

Reply

Alpha

In every “Choose all that apply” question, the distinction is always defined beforehand: either “each answer presents part of the solution” or “each answer presents a complete solution”.

In this case, it is the former. Thus, while A is a valid option, it isn’t strictly necessary since D&F alone will accomplish the goal, as the CDP will publish on a weekly schedule by default.

Reply

Piet

@Alpha
And how does the CRL get to the webserver? By Magic?
The CA won’t magically push the CRL to the webserver! A is required!

Reply

Piet

Oeps sorry my mistake, if the webserver can be reached from the CA publishing will indeed make the crl file available.

Reply

Piet

But publishing will only be automatic if the webserver is accessible through a share.

Reply

Sherron Flake

I genuinely enjoy looking at on this site, it has wonderful content. “The living is a species of the dead and not a very attractive one.” by Friedrich Wilhelm Nietzsche.

http://www.bastcilkdoptb.com/

Reply

FSM

The answer is: A,D & F.

– Create a Web-based certificate revocation list (CRL) distribution point using Internet Information Services (IIS).
– Configure permissions on the CRL distribution shared folder.
– Publish the CRL in the CRL distribution shared folder.

https://technet.microsoft.com/en-us/library/ee649260%28v=ws.10%29.aspx

Reply

RR

there is no copy or schedule command in the URL you provided. When you publish the CRL and point to the share, the files will be copied automatically

Reply

jersey

A, D, & F
https://blogs.technet.microsoft.com/enterprisemobility/2009/05/01/how-to-publish-the-crl-on-a-separate-web-server/

—Answer D—
We must create a new web server so users at home can connect over the Internet

“In overview, the steps you will need to perform to publish the CRL onto a separate Web server include the following:
1. On your SEPARATE server, configure IIS for a new virtual directory (or new Web site) that specifies the local folder that will contain the files for the CRL”

—Answer A—
We have to manually (or automate with a script and scheduled task) copy the CRL between CA1 (Only available to hosts on the internal network) and the new web server. It ALSO doesn’t mention us setting up a trust for automatic publishing

“Since CA1 is only available on the Intranet we cannot use a file share to distribute the list, therefore we need to either manually copy or automate with a script via scheduled tasks.
“You can manually publish the CRL onto this new CDP, or you can automatically publish it. Automatic publishing is a whole lot easier but requires a one-way trust from the Web server (CDP) in the DMZ to the CA server in the intranet, and uses SMB traffic for this connection (which you can secure with IPsec).

“To automatically publish the CRL on a separate server” section”
-Ensure that a trust relationship exists such that the Web Server trusts the CA Server.”

—Answer F—
Need to modify the location of the CDP to point to new server hosting the CRL

Reply