Re: IIS CRL Checking
From: Ohaya (ohaya_at_cox.net)
Date: 09/07/03
- Next message: Joseph: "Forcing SSL on pages"
- Previous message: Ohaya: "Re: Can IIS Log username from client certificate?"
- In reply to: Jackson Lancaster: "IIS CRL Checking"
- Next in thread: Bernard: "Re: IIS CRL Checking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 06 Sep 2003 21:58:53 -0400
Jackson Lancaster wrote:
>
> Can anyone explain (in some detail) how IIS checks CRL's for client PKI
> certs. The articles I have seen state that IIS uses the CRL CDP to verify
> client certificates. Is this true that IIS will use http or ldap (live) to
> verify a cert against a CRL. I have also read that IIS caches the CRL's
> that it downloads. Does it cache them in memory or in the file system. And
> last, if I install CRL's locally, does IIS use these CRL's to verify client
> certs or does it still check against the cached or real CRL? I have tried
> installing CRL's locally (on the IIS server) but when I do this the pop-up
> screen to choose a client cert to use takes about 20-30 seconds longer to
> pop-up than if I dont have the CRL's installed locally.
Jackson,
I can't answer any of your questions definitively, but if you look at
the client certs in IE (at least for the ones created by MS Certificate
Server), the cert includes a "CRL Distribution Points", which includes
(I think) URLs for LDAP and HTTP.
- Next message: Joseph: "Forcing SSL on pages"
- Previous message: Ohaya: "Re: Can IIS Log username from client certificate?"
- In reply to: Jackson Lancaster: "IIS CRL Checking"
- Next in thread: Bernard: "Re: IIS CRL Checking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
