Certificate Authority CRL's

D

DZ

Hello all,

I've setup a CA in my domain with an offline root (W2K
Advanced server) and and online subordinate CA (W2K
server) for issuing Email and VPN certs. I've created a
CRL path in the certs that points back to a URL that is
accessible to the outside world. This so when someone
recieves an email from my domain the cert should go back
and check to see if it's valid.

The problem appears to be that no matter what I do or
try, the certificate does not actually go and check the
URL, and thus the CRL, to see if it's been revoked or
not. This creates a problem in the event I revoke a cert -
the receiving end will still see a valid cert if it
isn't checked. How do you get the CRL to work properly?
All ideas are welcome before I pull what's left of my
hair out...
 
M

Miha Pihler

Hi,

there are few things to consider:
- CRL checking depends on client (e-mail client in this case). In Office
2000 it is off by default and in later versions of Office it is turned on
- CRLs have life time (e.g. 1. week)
- CRLs are cached by clients and there is no supported way to flush this CRL
in it's life time
- If client has valid cached CRL and you download new signed e-mail it will
be checked against cached CRL
- Make sure that the client that read your e-mail trust your CA servers (all
of them)...
- Certificates are not meant for instant revocations, everything else
depends on your setup (CRL lifetime, CRL publication interval, E-mail
client, etc...)

If you would like to have proper test results, perform tests on PC that is
not part of your domain trusts your domain. Check your mail client that it
is set to check against CRL list, etc...

I hope this helps you in any way,

Mike
 
M

Miha Pihler

Hi DZ,
Can Enterprise CA Server be configured as "offline root"?

Seeker01
Click to expand...
No. It needs access to AD etc...

If it helps you, you can setup Standalone Root CA that can be offline. Then
you can setup subordinate Enterprise CA that is signed by your offline Root
CA.

Mike
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

User can logon after certificate is revoked 2
IAS EAP-TLS Certificate Error 4
trying to publish CA CERT/CRL to Microsoft Active Directory (win 2000) 1
Changing CA CRL's 4
Changing the AIA and CDP for an Issuing CA 0
VPN Logons - Certificates 1
Clients cant get new Cert from CA - 0x800b0101 0
Diff Encryption Certificates used by diff users in same AD domain. 6

Top