Certificate Authority CRL's

[dz]

Archived from groups: microsoft.public.win2000.security (More info?)

Hello all,

I've setup a CA in my domain with an offline root (W2K
Advanced server) and and online subordinate CA (W2K
server) for issuing Email and VPN certs. I've created a
CRL path in the certs that points back to a URL that is
accessible to the outside world. This so when someone
recieves an email from my domain the cert should go back
and check to see if it's valid.

The problem appears to be that no matter what I do or
try, the certificate does not actually go and check the
URL, and thus the CRL, to see if it's been revoked or
not. This creates a problem in the event I revoke a cert -
the receiving end will still see a valid cert if it
isn't checked. How do you get the CRL to work properly?
All ideas are welcome before I pull what's left of my
hair out...

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

there are few things to consider:
- CRL checking depends on client (e-mail client in this case). In Office
2000 it is off by default and in later versions of Office it is turned on
- CRLs have life time (e.g. 1. week)
- CRLs are cached by clients and there is no supported way to flush this CRL
in it's life time
- If client has valid cached CRL and you download new signed e-mail it will
be checked against cached CRL
- Make sure that the client that read your e-mail trust your CA servers (all
of them)...
- Certificates are not meant for instant revocations, everything else
depends on your setup (CRL lifetime, CRL publication interval, E-mail
client, etc...)

If you would like to have proper test results, perform tests on PC that is
not part of your domain trusts your domain. Check your mail client that it
is set to check against CRL list, etc...

I hope this helps you in any way,

Mike

"DZ" <anonymous@discussions.microsoft.com> wrote in message
news:28fc301c464f7$f40dc7a0$a501280a@phx.gbl...
> Hello all,
>
> I've setup a CA in my domain with an offline root (W2K
> Advanced server) and and online subordinate CA (W2K
> server) for issuing Email and VPN certs. I've created a
> CRL path in the certs that points back to a URL that is
> accessible to the outside world. This so when someone
> recieves an email from my domain the cert should go back
> and check to see if it's valid.
>
> The problem appears to be that no matter what I do or
> try, the certificate does not actually go and check the
> URL, and thus the CRL, to see if it's been revoked or
> not. This creates a problem in the event I revoke a cert -
> the receiving end will still see a valid cert if it
> isn't checked. How do you get the CRL to work properly?
> All ideas are welcome before I pull what's left of my
> hair out...

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi DZ,

Can Enterprise CA Server be configured as "offline root"?

Seeker01

"DZ" wrote:

> Hello all,
>
> I've setup a CA in my domain with an offline root (W2K
> Advanced server) and and online subordinate CA (W2K
> server) for issuing Email and VPN certs. I've created a
> CRL path in the certs that points back to a URL that is
> accessible to the outside world. This so when someone
> recieves an email from my domain the cert should go back
> and check to see if it's valid.
>
> The problem appears to be that no matter what I do or
> try, the certificate does not actually go and check the
> URL, and thus the CRL, to see if it's been revoked or
> not. This creates a problem in the event I revoke a cert -
> the receiving end will still see a valid cert if it
> isn't checked. How do you get the CRL to work properly?
> All ideas are welcome before I pull what's left of my
> hair out...
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

> Hi DZ,
>
> Can Enterprise CA Server be configured as "offline root"?
>
> Seeker01
No. It needs access to AD etc...

If it helps you, you can setup Standalone Root CA that can be offline. Then
you can setup subordinate Enterprise CA that is signed by your offline Root
CA.

Mike

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

either of these guides can help you get started and configure a PKI
hierarchy:

Best Practices:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx



Microsoft Systems Architecture:
http://www.microsoft.com/resources/documentation/msa/2/all/solution/en-us/msa20rak/vmhtm122.mspx


--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:O%23UCY%23hmEHA.2552@TK2MSFTNGP11.phx.gbl...
>> Hi DZ,
>>
>> Can Enterprise CA Server be configured as "offline root"?
>>
>> Seeker01
> No. It needs access to AD etc...
>
> If it helps you, you can setup Standalone Root CA that can be offline.
> Then
> you can setup subordinate Enterprise CA that is signed by your offline
> Root
> CA.
>
> Mike
>
>
>