Certificate Authority CRL's

Archived from groups: microsoft.public.win2000.security (More info?)

Hello all,

I've setup a CA in my domain with an offline root (W2K
Advanced server) and and online subordinate CA (W2K
server) for issuing Email and VPN certs. I've created a
CRL path in the certs that points back to a URL that is
accessible to the outside world. This so when someone
recieves an email from my domain the cert should go back
and check to see if it's valid.

The problem appears to be that no matter what I do or
try, the certificate does not actually go and check the
URL, and thus the CRL, to see if it's been revoked or
not. This creates a problem in the event I revoke a cert -
the receiving end will still see a valid cert if it
isn't checked. How do you get the CRL to work properly?
All ideas are welcome before I pull what's left of my
hair out...
4 answers Last reply
More about certificate authority
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi,

    there are few things to consider:
    - CRL checking depends on client (e-mail client in this case). In Office
    2000 it is off by default and in later versions of Office it is turned on
    - CRLs have life time (e.g. 1. week)
    - CRLs are cached by clients and there is no supported way to flush this CRL
    in it's life time
    - If client has valid cached CRL and you download new signed e-mail it will
    be checked against cached CRL
    - Make sure that the client that read your e-mail trust your CA servers (all
    of them)...
    - Certificates are not meant for instant revocations, everything else
    depends on your setup (CRL lifetime, CRL publication interval, E-mail
    client, etc...)

    If you would like to have proper test results, perform tests on PC that is
    not part of your domain trusts your domain. Check your mail client that it
    is set to check against CRL list, etc...

    I hope this helps you in any way,

    Mike

    "DZ" <anonymous@discussions.microsoft.com> wrote in message
    news:28fc301c464f7$f40dc7a0$a501280a@phx.gbl...
    > Hello all,
    >
    > I've setup a CA in my domain with an offline root (W2K
    > Advanced server) and and online subordinate CA (W2K
    > server) for issuing Email and VPN certs. I've created a
    > CRL path in the certs that points back to a URL that is
    > accessible to the outside world. This so when someone
    > recieves an email from my domain the cert should go back
    > and check to see if it's valid.
    >
    > The problem appears to be that no matter what I do or
    > try, the certificate does not actually go and check the
    > URL, and thus the CRL, to see if it's been revoked or
    > not. This creates a problem in the event I revoke a cert -
    > the receiving end will still see a valid cert if it
    > isn't checked. How do you get the CRL to work properly?
    > All ideas are welcome before I pull what's left of my
    > hair out...
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi DZ,

    Can Enterprise CA Server be configured as "offline root"?

    Seeker01

    "DZ" wrote:

    > Hello all,
    >
    > I've setup a CA in my domain with an offline root (W2K
    > Advanced server) and and online subordinate CA (W2K
    > server) for issuing Email and VPN certs. I've created a
    > CRL path in the certs that points back to a URL that is
    > accessible to the outside world. This so when someone
    > recieves an email from my domain the cert should go back
    > and check to see if it's valid.
    >
    > The problem appears to be that no matter what I do or
    > try, the certificate does not actually go and check the
    > URL, and thus the CRL, to see if it's been revoked or
    > not. This creates a problem in the event I revoke a cert -
    > the receiving end will still see a valid cert if it
    > isn't checked. How do you get the CRL to work properly?
    > All ideas are welcome before I pull what's left of my
    > hair out...
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    > Hi DZ,
    >
    > Can Enterprise CA Server be configured as "offline root"?
    >
    > Seeker01
    No. It needs access to AD etc...

    If it helps you, you can setup Standalone Root CA that can be offline. Then
    you can setup subordinate Enterprise CA that is signed by your offline Root
    CA.

    Mike
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    either of these guides can help you get started and configure a PKI
    hierarchy:

    Best Practices:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx


    Microsoft Systems Architecture:
    http://www.microsoft.com/resources/documentation/msa/2/all/solution/en-us/msa20rak/vmhtm122.mspx


    --


    David B. Cross [MS]

    --
    This posting is provided "AS IS" with no warranties, and confers no rights.

    http://support.microsoft.com

    "Miha Pihler" <mihap-news@atlantis.si> wrote in message
    news:O%23UCY%23hmEHA.2552@TK2MSFTNGP11.phx.gbl...
    >> Hi DZ,
    >>
    >> Can Enterprise CA Server be configured as "offline root"?
    >>
    >> Seeker01
    > No. It needs access to AD etc...
    >
    > If it helps you, you can setup Standalone Root CA that can be offline.
    > Then
    > you can setup subordinate Enterprise CA that is signed by your offline
    > Root
    > CA.
    >
    > Mike
    >
    >
    >
Ask a new question

Read More

Certificate Windows