Hello
I am setting up a new PKI (in a LAB initially) an reading up on the subject.
I see the default location for the CDP is in the Configuration partition in AD and therefore accessed via LDAP://......
I also see other recommending using IIS/HTTP to publish the CRL, CPS
I can see the advantage of publishing the CPS via HTTP (not sure how you would import a file e.g. text file containing the CPS into AD in any event)
Question 1:
But what are the main advantages/disadvantages of placing the CRL in an IIS site and therefore HTTP?
Question 2:
I can see how the AD integrated CA would publish updated CRL to AD as the CA is integrated (e.g. Sub issuing CA)
If the CRL is published via IIS/HTTP will the CA be able to automatically update the CRL via HTTP PUT or something like that (and if so I assume the CA Server needs rights to the Site and underlying NTFS folder containing the sites files), or will I have to manually download the CRL from the CA and publish to the HTTP site manually (or via script)?
Question 3:
Can I have the CRL published to LDAP and HTTP at the same time, and therefore I assume I will have to update the CA in come where so when it issues certificates is states both location in the CDP information within the certificate?
Any help most appreciated
AAnotherUser__
AAnotherUser__