Part 1 – Get your Certificate Authority CRL Ready
If you are not doing this already, you need to publish your CRL so that it can be hit by everyone (internally and externally to your organisation). I'll detail the steps to publish this onto an internal web server that you already have, then use Azure App Proxy to publish the endpoint on the internet.
- Build a new Web Server (Install the Web Server role) or use one you already have
On the web server, Create a new virtual directory in the Default Web Site
- Alias: CRL
- Physical Path: C:\inetpub\wwwroot\CRL
In explorer, go to C:\intepub\wwwroot\crl and share the folder and assign permissions. We need to give the Certificate Authority computer account permissions to dump the CRL in here automatically.
- Share Permissions: Read and Change to the CA server computer account.
NTFS Permissions: Read and Write to the CA server computer account.
- Now on your CA server, Open up the certification authority mmc, go to Certification Authority, right-click your CA, select Properties, and then click the Extensions tab.
- Ensure that CRL Distribution Point (CDP) is selected, and then click Add.
Type the following and then click OK:
(just replace the <servername> and <share> bits with your own and leave the rest as variables)
Ensure that only the following options are selected for this new entry:
- Publish CRLs to this location
- Publish Delta CRLs to this location
- Publish CRLs to this location
- If you are prompted to restart Active Directory Certificate Services, click Yes.
- After the service has restarted, right-click Revoked Certificates node, click All Tasks, and then click Publish, New CRL.
Upon success, you should see the CRLs published to the share you setup on your web server
On your CA Server, return to the Certificate Services MMC, Properties, Extensions Tab and add a http endpoint:
(replace FQDN_of_Web_Server and CRL_directory_name with your own)
IMPORTANT: Since we are going to publish the CRL externally from your organisation, Make sure this CRL is an externally reachable one.
- Select Include in CRLs. Clients use this to find Delta CRL locations
- Select Include in the CDP extension of issues certificates
13. Repeat the last step to make sure the Delta CRL is also published. It's the same with a "+" on the end. (http://<webservername>/crl/CAname+.crl)
If you get the error page:
"HTTP Error 404.11 - Not Found" - The request filtering module is configured to deny a request that contains a double escape sequence"
Go into the IIS request filtering settings for the directory and enable "Allow Double escaping"
14. Now we need to make sure that devices on the internet can reach my internally hosted CRL. I'm going to use Azure Application Proxy to do this.
First, login to the azure portal (manage.microsoft.com), go to your directory and select "create a new application"
Choose "Publish an application that will be accessible from outside your network"
15. Select the configure tab
16. Configure the External URL to match what you specified earlier when configuring the CA (Make sure you change to HTTP instead of HTTPS)
17. Because I'm choosing to use my labs custom domain name here "duffnethybrid.xyz" I also need to do a small amount of work on my public DNS. So I need to log into my public DNS provider and create a CNAME record to point to crl-duffnethybrid.msappproxy.net
18. From the Azure portal, click Download the connector and walk through the installation Wizard (You will need to supply your Azure credentials during the installation)
19. Now test that you can access you're the URL for the CRL (and Delta CRL) from a device directly connected to the internet.
20. If all of that worked, head to Part 2 to configure Azure AD as a Certification Authority.
Having an accessible CRL is super important for this to scenario to work so you need to get it right. I covered just enough to make this scenario work -For more in-depth CRL setup notes use this post.
The one trick I found invaluable when testing CRL's is the Certutil commands:
Certutil -verify -urlfetch <certificatename.cer> (Test that the CRL in a certificate is accessible. You should run this from ADFS, WAP and Internet connected clients)
Certutil -urlcache (Show the CRL cache)
Certutil - urlcache * Delete (Clear the CRL cache)