By default, an issuing enterprise CA publishes its certificate revocation list (CRL) to locations within the forest. When you are using Internet-based client management with Configuration Manager, there are scenarios where you might need to publish the CRL on a separate server, outside the forest. These scenarios include the following:
- Your Internet-based site systems are in the DMZ but the issuing CA for the client computers is in a separate forest in the intranet. These Internet-based site systems will not be able to access the CRL for clients connecting over the Internet.
- Your Internet-based site systems are in the DMZ but the issuing CA for these servers is in a separate forest in the intranet. When clients connect from the Internet and they are configured for CRL checking, they will not be able to access the CRL for the server certificates on the Internet-based site systems.
In these Internet scenarios, it makes sense to publish a CRL that can be accessed over HTTP with an Internet FQDN. If you already have a Web server in the DMZ that is configured for HTTP, it makes an ideal candidate because you just need to add an additional virtual directory - there's no need to add a host entry into your public DNS, or install and harden a new server to run IIS. However, think twice about using a server running Internet-based site system roles because (with the exception of the fallback status point), these use HTTPS to help secure the server from unauthenticated access. Certificate revocation lists cannot be accessed over HTTPS so to add HTTP access to one of your Internet-based site system servers would greatly increase the risk of an attacker connecting to this server.
Click the Download button at to view the entire article.