Just in case you missed it, Carol Bailey has another fantastic post over on this System Center Configuration Manager Team blog where she discusses publishing the CRL on a separate web server. It’s definitely worth a read and I have her intro and a link below:
By default, an issuing enterprise CA publishes its certificate revocation list (CRL) to locations within the forest. When you are using Internet-based client management with Configuration Manager, there are scenarios where you might need to publish the CRL on a separate server, outside the forest. These scenarios include the following:
- Your Internet-based site systems are in the DMZ but the issuing CA for the client computers is in a separate forest in the intranet. These Internet-based site systems will not be able to access the CRL for clients connecting over the Internet.
- Your Internet-based site systems are in the DMZ but the issuing CA for these servers is in a separate forest in the intranet. When clients connect from the Internet and they are configured for CRL checking, they will not be able to access the CRL for the server certificates on the Internet-based site systems.
To continue reading see How to Publish the CRL on a Separate Web Server
J.C. Hornbeck | Manageability Knowledge Engineer