Re: IIS5 - Is CRL checking enabled by default - do I need it?

From: Ohaya (ohaya_at_N_O_S_P_A_M_cox.net)
Date: 03/27/04 

Date: Fri, 26 Mar 2004 21:03:41 -0500

Ohaya wrote:
>
> Hi,
>
> It's been awhile since I've gone down this road, but I just installed a
> clean installation of Win2K Advanced Server with IIS5. The Windows CD
> was an SP3, and the web server machine is configured as a standalone
> server (no Active Directory, no Certificate Service).
>
> I am setting an SSL website with server and client authentication, and
> that part is working, i.e., the website will let users who have have
> valid client certs connect.
>
> The client certs do not have the CDP populated, so I am populating the
> Intermediate Certification Authorities (ICA) store using a batch file
> that retrieves the CRL from the (3rd party) CA, and then uses
> CertMgr.exe to import the CRL into the ICA.
>
> I could've sworn that that's all I had to do, but I'm finding that even
> if I update the ICA with a CRL that has some client certs revoked, those
> client certs continue to work (i.e., they don't cause a revoked/403.xx
> error).
>
> For those of you who helped me in the past (late last year), what am I
> missing?
>
> Is IIS5 configured by default NOT to check CRLs in the ICA?
>
> BTW, I ran SSLDiag, and it indicated something about Crypt32.dll being
> obsolete, so I'm updating the machine to SP4. I don't know if this will
> make a difference.
>
> Thanks,
> Jim

Hi,

My apologies for the panic above!!

I completed the update to SP4, and now the Crypt32.dll error no longer
shows up in SSLDiag, and IIS does seem to be checking the CRL in the
ICA.

I am now having one problem that I can't explain.

The test CRLs that I got from my CA have a "Next Update" date of
something like January 29, 2004, but is now March 26, 2004.

Aren't these test CRLs now out of their validity period?

And, shouldn't IIS5 be rejecting connections because the CRL is out of
the validity period?

Jim

Relevant Pages

  • IIS5 - Is CRL checking enabled by default - do I need it?
    ... clean installation of Win2K Advanced Server with IIS5. ... The client certs do not have the CDP populated, ... CertMgr.exe to import the CRL into the ICA. ...
    (microsoft.public.inetserver.iis.security)
  • Re: revoking ipsec certificate doesnt work
    ... It's possible to publish manually the update delta and full CRL using the CA ... MMC SnapIn on the Server. ... my test VPN client never checks if the ... Server 2003 SP1 without any problem after the certificate is revoked nearly ...
    (microsoft.public.windows.server.security)
  • Re: Using a CRL
    ... This posting is provided "AS IS" with no warranties, ... Are you sure the CRL is installed locally? ... Are you sure the web server cert is revoked and on ... >>> certificate for an internal website. ...
    (microsoft.public.security)
  • Re: PKI Setup
    ... Refer the Best Practices for Implementing a Microsoft Windows Server 2003 ... the CRL distribution points is important. ... LDAP CRL distribution point is specified, ... For non-authentication certificates, ...
    (microsoft.public.security)
  • CRL caching and smart card logon
    ... Windows 2003 servers, Windows XP workstations and Windows 2003 CA (for ... when CRL is not available? ... But if CRL server is down, or no domain controller is available (cached ...
    (microsoft.public.security)