Smart Card

G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

We have a Enterprise Root CA in place and need to get smart cards working.
The certificates are installing on the cards but when the user tries to log
in we get the error: Revocation function unable to check revocation for the
certificate. I noticed that the revocation was pointing to (ex.
DC.domain.com/certsrv/dc.cer) but the revocation list is located at
dc.domain.com:8080/certsrv/dc.cer. We have a billing system that is running
on this dc (don¹t ask me why, I hate the idea ;)) that runs on port 80 and
does not allow anything else to use that port. First of all: Could this be
the issue? Secondly: Is there a way to change the port in the cert to 8080?

Thanks!

Curt
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Hi Curt,

I don't know if that is the issue however you can configure the CRL location
in the CA snapin.
Check the following for details:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx#EHAA

--
Thanks,
Anand Abhyankar [MS]

----
This posting is provided "AS IS" with no warranties, and confers no rights.


"Curt Shaffer" <curt@chilitech.net> wrote in message
news:BD9C244E.C90%curt@chilitech.net...
> We have a Enterprise Root CA in place and need to get smart cards working.
> The certificates are installing on the cards but when the user tries to
> log
> in we get the error: Revocation function unable to check revocation for
> the
> certificate. I noticed that the revocation was pointing to (ex.
> DC.domain.com/certsrv/dc.cer) but the revocation list is located at
> dc.domain.com:8080/certsrv/dc.cer. We have a billing system that is
> running
> on this dc (don¹t ask me why, I hate the idea ;)) that runs on port 80 and
> does not allow anything else to use that port. First of all: Could this be
> the issue? Secondly: Is there a way to change the port in the cert to
> 8080?
>
> Thanks!
>
> Curt
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Hi Curt,

Revocation list must be available to the client for smart card logon to
succeed...

You can't change the CRL patch on the certificate. Change has to be first
made on CA server then you have to issue new certificate. If you try and
edit the certificate it won't be valid any more since the digital signature
won't add up any more...

CRLS: http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx

Mike

New features:
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx
Operations guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
Managing PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
Best Practices:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
Certificate Autoenrollment in Windows Server 2003
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
Certificate templates -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
Key archival -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kyacws03.mspx
Advanced certificate enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
web enrollment:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
EFS:
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
CRLS: http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx

"Curt Shaffer" <curt@chilitech.net> wrote in message
news:BD9C244E.C90%curt@chilitech.net...
> We have a Enterprise Root CA in place and need to get smart cards working.
> The certificates are installing on the cards but when the user tries to
log
> in we get the error: Revocation function unable to check revocation for
the
> certificate. I noticed that the revocation was pointing to (ex.
> DC.domain.com/certsrv/dc.cer) but the revocation list is located at
> dc.domain.com:8080/certsrv/dc.cer. We have a billing system that is
running
> on this dc (don¹t ask me why, I hate the idea ;)) that runs on port 80 and
> does not allow anything else to use that port. First of all: Could this be
> the issue? Secondly: Is there a way to change the port in the cert to
8080?
>
> Thanks!
>
> Curt
>