I have setup a new server and installed Remote Access and Certificate Authority services so I can configure it as a VPN. I have created my own certificate through http://localhost/certsvr, and have imported into the Trusted Certificate Store.
My VPN works, but only if I disable revocation checking on the client via the registry, and what I have found is that the CRL for my certificate doesn't exist. The name of my certificate is dcom-dc01.dcomproductions.com, but when I check the CertEnroll folder in IIS the CRL for it is not listed. Only the CRL for the original created during Certificate Authority setup exists (DCOM-DC01-CA). I tried to do Actions -> Publish but it still does not publish the CRL.
How can I correct this?
My CRL distribution points are configured to:
C:\Windows\system32\CertSrv\CertEnroll\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
ldap:///CN=<CATruncatedName><CRLNameSuffix>,CN=<ServerShortName>,CN=CDP,CN=Public Key Services,CN=Services,<ConfigurationContainer><CDPObjectClass>
file://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
http://EXTERNALIP/CertEnroll/<CaName>/<CRLNameSuffix>/<DeltaCRLAllowed>.crl
Where EXTERNALIP is of course the publicly accessible IP for the server. The only one I changed was HTTP, because my understanding is that this is where clients check for the CRL.
Best Answer
First you have an 2 extra "/" in the http address, it should be:
Second, you need to issue another certificate to be used in your IIS (AND) on the VPN 3rd, you need port 80 open on your IIS