This document describes the configuration of a Microsoft Certificate
Authority (CA) server that runs Internet Information Services (IIS) to publish
Certificate Revocation List (CRL) updates. It also explains how to configure
Cisco Identity Services Engine ( ISE) (versions 1.1 and later) to retrieve the
updates for use in certificate validation. ISE can be configured to retrieve
CRLs for the various CA root certificates it uses in certificate validation.
The information in this document is based on these software and
Cisco Identity Services Engine Release 220.127.116.11
Server® 2008 R2
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
The first task is to configure a location on the CA server to store the
CRL files. By default, the Microsoft CA server publishes the files to
C:\Windows\system32\CertSrv\CertEnroll\ . Rather than use this system folder,
create a new folder for the files.
On the IIS server, choose a location on file system and create a new
folder. In this example, the folder C:\CRLDistribution is
In order for the CA to write the CRL files to the new folder, sharing
must be enabled. Right-click the new folder, choose
Properties, click the Sharing tab, and then
click Advanced Sharing.
In order to share the folder, check the Share this
folder check box and then add a dollar sign ($) to the end of the
share name in the Share name field to hide the
Click Permissions (1), click Add
(2), click Object Types (3), and check the
Computers check box (4).
In order to return to the Select Users, Computers, Service Accounts,
or Groups window, click OK. In the Enter the object names to
select field, enter the computer name of the CA server and click Check
Names. If the name entered is valid, the name refreshes and appears
underlined. Click OK.
In the Group or user names field, choose the CA computer. Check
Allow for Full Control to grant full access to the CA. Click
OK. Click OK again to close the Advanced
Sharing window and return to the Properties window.
In order to allow the CA to write the CRL files to the new folder,
configure the appropriate security permissions. Click the
Security tab (1), click Edit (2), click
Add (3), click Object Types (4), and check
the Computers check box (5).
In the Enter the object names to select field, enter the computer
name of the CA server and click Check Names. If the name
entered is valid, the name refreshes and appears underlined. Click
Choose the CA computer in the Group or user names field and then
check Allow for Full control to grant full access to the CA.
Click OK and then click Close to complete the
Click OK to return to the Extensions tab. Check the
Publish CRLs to this location check box (1) and then click
OK (2) to close the Properties window. A prompt appears for
permission to restart Active Directory Certificate Services. Click
In the left pane, right-click Revoked Certificates.
Choose All Tasks > Publish. Ensure that New CRL is selected
and then click OK.
The Microsoft CA server should create a new .crl file in the folder
created in section 1. If the new CRL file is created successfully there will be
no dialog after OK is clicked. If an error is returned in regards to the new
distribution point folder, carefully repeat each step in this section.
Verify the new CRL files exist and that they are accessible via IIS
from another workstation before you start this section.
On the IIS server, open the folder created in section 1. There
should be a single .crl file present with the form <CANAME>.crl where
<CANAME> is the name of the CA server. In this example, the filename
From a workstation on the network (ideally on the same network as the
ISE primary Admin node), open a web browser and browse to
http://<SERVER>/<CRLSITE> where <SERVER> is the server name
of the IIS server configured in section 2 and <CRLSITE> is the site name
chosen for the distribution point in section 2. In this example, the URL
The directory index displays, which includes the file observed in
Before ISE is configured to retrieve the CRL, define the interval to
publish the CRL. The strategy to determine this interval is beyond the scope of
this document. The potential values (in Microsoft CA) are 1 hour to 411 years,
inclusive. The default value is 1 week. Once an appropriate interval for your
environment has been determined, set the interval with these
On the CA server taskbar, click Start. Choose
Administrative Tools > Certificate
In the left pane, expand the CA. Right-click the Revoked
Certificates folder and choose
In the CRL publication interval fields, enter the required number and
choose the time period. Click OK to close the window and apply
the change. In this example, a publication interval of 7 days is
You should now confirm several registry values, which will help
determine the CRL retrieval settings in ISE.
Enter the certutil -getreg CA\Clock*
command to confirm the ClockSkew value. The default value is 10 minutes.
Enter the certutil -getreg CA\CRLov*
command to verify whether the CRLOverlapPeriod has been manually set. By
default the CRLOverlapUnit value is 0, which indicates that no manual value has
been set. If the value is a value other than 0, record the value and
As stated above, CRLPeriod was set to 7 days, or 10248 minutes and
CRLOverlapPeriod was not set.
a. OVERLAP = (10248 / 10) = 1024.8 minutes
b. 1024.8 minutes is > 720 minutes : OVERLAP = 720 minutes
c. 720 minutes is NOT < 15 minutes : OVERLAP = 720 minutes
d. 720 minutes is NOT > 10248 minutes : OVERLAP = 720 minutes
e. Grace Period = 720 minutes + 10 minutes = 730 minutes
The grace period calculated is the amount of time between when the CA
publishes the next CRL and when the current CRL expires. ISE needs to be
configured to retrieve the CRLs accordingly.
Log in to the primary Admin node and choose Administration
> System > Certificates. In the left pane, select
Check the Certificate Store check box next to the CA certificate for
which you intend to configure CRLs. Click
Near the bottom of the window, check the Download CRL
In the CRL Distribution URL field, enter the path to the CRL
Distribution Point, which includes the .crl file, created in section 2. In this
example, the URL is:
ISE can be configured to retrieve the CRL at regular intervals or
based on the expiration (which, in general, is also a regular interval). When
the CRL publish interval is static, more timely CRL updates are obtained when
the latter option is used. Click the Automatically radio
Set the value for retrieval to a value less than the grace period
calculated in step 7. If the value set is longer than the grace period, ISE
checks the CRL distribution point before the CA has published the next CRL. In
this example, the grace period is calculated to be 730 minutes, or 12 hours and
10 minutes. A value of 10 hours will be used for the
Set the retry interval as appropriate for your environment. If ISE
cannot retrieve the CRL at the configured interval in the previous step, it
will retry at this shorter interval.
Check the Bypass CRL Verification if CRL is not
Received check box to allow certificate-based authentication to
proceed normally (and without a CRL check) if ISE was unable to retrieve the
CRL for this CA in its last download attempt. If this check box is not checked,
all certificate-based authentication with certificates issued by this CA will
fail if the CRL cannot be retrieved.
Check the Ignore that CRL is not yet valid or
expired check box to allow ISE to use expired (or not yet valid) CRL
files as though they were valid. If this check box is not checked, ISE
considers a CRL to be invalid prior to their Effective Date and after their
Next Update times. Click Save to complete the