In my environment I have a Enterprise Root CA installed on a domain controller and a separate domain controller configured as a Subordinate CA – I know this isn't recommended for security reasons but it's what I inherited.
The Certificate Enrollment Web Services and Online Responder services were not installed on either server, so no IIS services in place.
If I open a certificate I create – select the Details tab – and select CRL Distribution Points a URL is provided like the following:
URL=ldap:///CN=,CN=,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=example,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint (ldap:///CN=,CN=,…..)
Here's my question – since there's no web services running for the clients to access a CRL using http/https, do clients get updated CRL information using the ldap string (query?) above? I'm trying to understand how clients grab new information about revoked/expired certificates when there's no URL to access a web browser. These servers are all members of the same domain.
Adding IIS to a domain controller isn't an option and deploying a separate VM to host CRL files most likely won't be approved do to the added cost of the VM and additional overheard.
Best Answer
yes. Clients use URL defined in CDP extension of certificate to download the CRL. Microsoft CA and Windows clients support both, HTTP and LDAP URL schemes to download CRLs. Microsoft CA can publish CRLs to AD as well.
Keep in mind that only AD forest (no matter how many domains you have) members can utilize LDAP URLs in AD.