Your network contains an Active Directory domain named contoso.com.
The domain contains four servers.
The servers are configured as shown in the following table.
You plan to deploy an enterprise certification authority (CA) on a server named Server5.
Server5 will be used to issue certificates to domain-joined computers and workgroup computers.
You need to identify which server you must use as the certificate revocation list (CRL) distribution point for
Server5. Which server should you identify?
A.
Server1
B.
Server3
C.
Server4
D.
Server2
Explanation:
CDP (and AD CS) always uses a Web Server
NB : this CDP must be accessible from outside the AD, but here we don’t have to wonder about that as there’s
only one web server.
=========
http://technet.microsoft.com/fr-fr/library/cc782183%28v=ws.10%29.aspx
Selecting a CRL Distribution Point
Because CRLs are valid only for a limited time, PKIclients need to retrieve a new CRL periodically. W indows
Server 2003 PKI applications look in the CRL distribution point extension for a URL that points to a network
location from which the CRL object can be retrieved. Because CRLs for enterprise CAs are stored in Active
Directory, they can be accessed by means of LDAP. In comparison, because CRLs for stand-alone CAs are
stored in a directory on the server, they can be accessed by means of HTTP, FTP, and so on as long as the CA
is online. Therefore, you should set the CRL distribution point after the CA has been installed.
The system account writes the CRL to its distribution point, whether the CRL is published manually or is
published according to an established schedule. Therefore you must ensure that the system accounts forCAs
have permission to write to the CRL distribution point.
Because the CRL path is also included in every certificate, you must define the CRL location and its access
path before deploying certificates. If an application performs revocation checking and a valid CRL is not
available on the local computer, it rejects the certificate.
You can modify the CRL distribution point by using the Certification Authority MMC snap-in. In this way, you can
change the location where the CRL is published to meet the needs of users in your organization. You must
move the CRL distribution point from the CA configuration folder to a Web serverto change the location of the
CRL, and you must move each new CRL to the new distribution point, or else the chain will break when the
previous CRL expires.
Note
On root CAs, you must also modify the CRL distribution point in the CAPolicy.inf file so that the root CA
certificate references the correct CDP and AIA paths, if specified.
If you are using certificates on the Internet, you must have at least one HTTPs-accessible location for all
certificates that are not limited to internal use.
=========
http://technet.microsoft.com/en-us/library/cc771079.aspx
Configuring Certificate Revocation
It is not always possible to contact a CA or other trusted server for information about the validity of a certificate.
To effectively support certificate status checking,a client must be able to access revocation data todetermine
whether the certificate is valid or has been revoked. To support a variety of scenarios, Active Directory
Certificate Services (AD CS) supports industry-standard methods of certificate revocation. These include
publication of certificate revocation lists (CRLs) and delta CRLs, which can be made available to clients
from a variety of locations, including Active Directory Domain Services (AD DS), Web servers, and
network file shares.
================
Old explanation : CRL is published to a web site