Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Publish CRL to ftp server

262 views
Skip to first unread message

Martin K.

unread,
Nov 3, 2004, 8:04:19 AM11/3/04
to
Hi,
Can MS CA (both standalone and enterprise) publish CRLs to ftp location ? I
found that documentation mentions about ftp protocol, but when I put ftp
location I get following error (in application log):

Certificate Services could not publish a Base CRL for key 0 to the following
location: ftp://ftp.lab/ms/subca.crl. The specified path is invalid.
0x800700a1 (WIN32/HTTP: 161).

Can anyone help ?

regards,
Martin

Vishal Agarwal[MSFT]

unread,
Nov 4, 2004, 2:18:16 AM11/4/04
to
Certificate Services would not publish to the FTP URL. The only publication
you can do is either at an ldap location or a file location (the file
location may be accessible via FTP or HTTP). However you should not use FTP
in the CDP extension as with MS04-11, FTP url's in the CDP extension would
not be used by cryptoapi for revocation check.

Thanks,
Vishal Agarwal[MSFT]

--
This posting is provided "AS IS" with no warranties, and confers no rights
"Martin K." <zanny[spam]@wp.pl> wrote in message
news:ut%231uWaw...@TK2MSFTNGP10.phx.gbl...

Marcin

unread,
Nov 4, 2004, 3:39:09 AM11/4/04
to
> Certificate Services would not publish to the FTP URL. The only
>publication ou can do is either at an ldap location or a file location (the

>file location may be accessible via FTP or HTTP). However you should not
>use FTP in the CDP extension as with MS04-11, FTP url's in the CDP
>extension would not be used by cryptoapi for revocation check.

I have remote www server (w2k/iis) that I need to publish CRLs to. It
was obvious to me that the best way to do it, is to send CRLs by ftp. There
is no CDP with ftp, only http! Ftp is only used for transport, in local
network I could do it by shared folders, but for security reason it may not
be good idea.

Thank you,

Martin


Martin K.

unread,
Nov 10, 2004, 8:23:09 AM11/10/04
to

Użytkownik "Vishal Agarwal[MSFT]" <vis...@online.microsoft.com> napisał w
wiadomości news:OUfq25jw...@TK2MSFTNGP14.phx.gbl...

> Certificate Services would not publish to the FTP URL. The only
publication
> you can do is either at an ldap location or a file location (the file
> location may be accessible via FTP or HTTP). However you should not use
FTP
> in the CDP extension as with MS04-11, FTP url's in the CDP extension would
> not be used by cryptoapi for revocation check.

Can I publish CRL's from win2003 to an external LDAP v3 server ?

regards
Martin


Brian Komar

unread,
Nov 10, 2004, 10:37:51 AM11/10/04
to
In article <uzNjzhyx...@TK2MSFTNGP15.phx.gbl>, zanny[spam]@wp.pl
says...
>
> U¿ytkownik "Vishal Agarwal[MSFT]" <vis...@online.microsoft.com> napisa³ w
> wiadomo¶ci news:OUfq25jw...@TK2MSFTNGP14.phx.gbl...

> > Certificate Services would not publish to the FTP URL. The only
> publication
> > you can do is either at an ldap location or a file location (the file
> > location may be accessible via FTP or HTTP). However you should not use
> FTP
> > in the CDP extension as with MS04-11, FTP url's in the CDP extension would
> > not be used by cryptoapi for revocation check.
>
> Can I publish CRL's from win2003 to an external LDAP v3 server ?
>
> regards
> Martin
>
>
>
Not automatically.
1) use *some* protocol to transfer the new CRL to the LDAP server
2) You may need another process on the LDAP server to add the object to
the LDAP directory
3) Ensure that the CA's CRL publication points includes a URL that
points to the publication location at the LDAP server

You can transfer the updated CRL from the %windir%\system32\certsrv
\certenroll folder by using any protocol supported by the LDAP server. I
have used FTP. S/FTP, Putty, SCP, etc in different scenarios

Brian

0 new messages