Your network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1 that runs Windows Server 2012 R2.
Server1 has an enterprise root certification authority (CA) for contoso.com.
You deploy another member server named Server2 that runs Windows Server 2012 R2 and has
the Web Server (IIS) server role installed.
You need to designate a website on Server1 as the certificate revocation list (CRL) distribution point
for the CA. The solution must ensure that CRLs are published automatically to Server2.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose
two.)
A.
Create an http:// CRL distribution point (CDP) entry.
B.
Configure a CA exit module.
C.
Create a file:// CRL distribution point (CDP) entry
D.
Configure an enrollment agent.
E.
Configure a CA policy module.
Explanation:
A: To specify CRL distribution points in issued certificates Open the Certification Authority snap-in.
In the console tree, click the name of the CA.
On the Action menu, click Properties , and then click the Extensions tab. Confirm that Selectextension is set to CRL Distribution Point (CDP) .
Do one or more of the following. (The list of CRL distribution points is in the Specify locations from
which users can obtain a certificate revocation list (CRL) box.) / To indicate that you want to use a
URL as a CRL distribution point Click the CRL distribution point, select the Include in the CDP
extension of issued certificates check box, and then click OK .
Click Yes to stop and restart Active Directory Certificate Services (AD CS).
E: You can specify CRL Distribution Points (CDPs) in CAPolicy.inf. Note that any CDP in
CAPolicy.inf will take precedence for certificate verifiers over the CDP’s specified in the CA policy
module.
Note:
CRLDistributionPoint
You can specify CRL Distribution Points (CDPs) for a root CA certificate in the CAPolicy.inf. This
section does not configure the CDP for the CA itself. After the CA has been installed you can
configure the CDP URLs that the CA will include in each certificate that it issues. The URLs
specified in this section of the CAPolicy.inf file are included in the root CA certificate itself.
Example:
[CRLDistributionPoint]
URL=http://pki.wingtiptoys.com/cdp/WingtipToysRootCA.crl
Answer is A & C. I won’t even bother to explain. Just watch cbtnuggets’ videos and read this:
http://blogs.technet.com/b/configmgrteam/archive/2009/05/01/how-to-publish-the-crl-on-a-separate-web-server.aspx
0
0
A & C
0
0
A and C
To automatically publish the CRL on a separate server
Ensure that a trust relationship exists such that the Web Server trusts the CA Server.
On the Web server computer, create a new local folder to contain the CRL files (for example, C:\CRL).
Configure the folder with the following:
Share the folder, for example, with the share name of CRL.
Specify the share permissions of Read and Change to the CA server computer account.
Specify NTFS permissions of Read and Write to the CA server computer account.
On the CA server, load Certification Authority, right-click your CA, select Properties, and then click the Extensions tab.
Ensure that CRL Distribution Point (CDP) is selected, and then click Add.
In the Add Location dialog box, type the following and then click OK: file://\\\\.crl For example, if your Web server was called server2 and the folder share name you created for the CRL was called CRL, you would type file://\\server2\CRL\.crl
Ensure that only the following options are selected for this new entry:
Publish CRLs to this location
Publish Delta CRLs to this location
If you are prompted to restart Active Directory Certificate Services, click Yes.
After the computer has restarted, load Certification Authority, expand your CA, right-click Revoked Certificates, click All Tasks, and then click Publish.
On the Publish CRL popup dialog box, ensure that New CRL is selected, and then click OK. If you do not see an error, check the folder on the Web server and confirm that it now contains one or more files with .crl extensions. If you do see an error, it is likely that there is a syntax error or permissions error that must be corrected before the CRL can be published to the separate Web server.
To specify the separate Web server as a CDP
On the CA server, load Certification Authority, right-click your CA, select Properties, and then click the Extensions tab.
Ensure that CRL Distribution Point (CDP) is selected, and then click Add.
In the Add Location dialog box, type the following and then click OK: http://<FQDN_of_Web_Server//.crl For example, if your Web server was called server2.contoso.com and the virtual directory you created in IIS was called CRL, you would type http:// server2.contoso.com/crl/.crl
Ensure that the following options are selected for this new entry:
Include in CRLs. Clients use this to find Delta CRL locations.
Include in the CDP extension of issued certificates
Click OK. If you are prompted to restart Active Directory Certificate Services, click Yes.
2
0
I disagree with all of you and I agree with the proposed solution. A is correct, because the question asks for publishing the CRL to a Web Server. The procedures mentioned by KungFury are not mandatory, you can publish to file:// or to http://, I think it is not necessary to share the folder to use the HTTP CRL CDP.
0
0
And how do you think the file will be placed on Web Server? Using http (only)?
1
0
You know, i should start a social experiment on this website. Ill post up a bunch of questions and choose the most blatantly obvious wrong answers and see how much i can convince people they are right just be highlighting them in green and providing some bullshit explanation.
0
0
I think a lot. people should really try to find their own answers for each question. Used this site for 3 exams so far and see wrong answers at around 25% and i am no expert.Don’t get me wrong it’s great having these questions and you can learn a lot by trying to find your own answers but don’t believe everything that’s green. Also if I was lets say Microsoft employee in charge of exams i would be posting wrong answers here 🙂
1
0
https://blogs.technet.microsoft.com/askds/2009/10/15/windows-server-2008-r2-capolicy-inf-syntax/
CRLDistributionPoint
You can specify CRL Distribution Points (CDPs) for a root CA certificate in the CAPolicy.inf. This section does not configure the CDP for the CA itself. After the CA has been installed you can configure the CDP URLs that the CA will include in each certificate that it issues. The URLs specified in this section of the CAPolicy.inf file are included in the root CA certificate itself.
[CRLDistributionPoint]
URL=http://pki.wingtiptoys.com/cdp/WingtipToysRootCA.crl
so first you create the http:// CDP and then create a policy so distribution point is included in issued certificates.
A+E
publishing the file is not a requirement, you can just enable LDAP and https:// ad distribution points
0
0
Sorry, I had a chance to test this in my lab and I now agree that correct answer is A + C.
CRL must indeed be configured first on File:// on a shared folder on Server2 before enabling the http:// location. No need for the policy module as CDP inclusion in issued certificates can be configured from the extensions page of the CA. The Technet article linked in the first reply explains it perfectly.
4
0