Why doesn't IPSEC respect revoked certificates.

From: PB (_@no_where.nospam)
Date: 06/27/02 

From: "PB" <_@no_where.nospam>
Date: Thu, 27 Jun 2002 22:36:34 +0100

For the purposes of this test I setup

1) Enterprise Certificate Authority,
2) issued Offline IPSEC Certificates to two machines - both in different
domains.
3) Created IPSEC Policies that require IPSEC for port 25 traffic- using a
Certificate from the Enterprise CA.
4) On the Email 'Server' (on which the Enterprise CA is hosted) I created
the registry entries in

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\StrongCRLCh
eck=0x1 etc
5) I also configured the EnableLogging registry entry.

6) Restarted IPSEC Policy Agent on both machines.
7) Ran up the IPSECMON tool.

Now Port 25 traffic does indeed negotiate IPSEC - and the certificates do
need to be on the Server and the Client - or else it doesn't work.

So far so good I have what I want.

BUT assume then that the Client machine is stolen or in a miscriant's hands
or whatever and I want to revoke the certificate - I can revoke the
certificate for the AWOL Client at the Enterprise CA, and can publish a new
CRL. - but this CRL is not respected by the server and the client can
continue to connect port 25 traffic even though it's IPSEC certificate is
supposedly revoked - and that StrongCRLCheck in the registry is set.

I've tried just about every combination of rebooting and the like and
restarting IPSEC Policy Agents - but to no avail.

So what is it that I'm missing? Is this really something that just doesn't
work? I'm supposed to be writing an article on this but at the moment it is
looking like I'd be publishing that it doesn't work as it indicates that it
should.

Any help would be appreciated.

Relevant Pages

  • Re: User authentication IPsec
    ... nothing on both machines. ... Certification Authority Web Enrollment and managed to add the IPsec ... certificate template IPsec and IPsec so that from the client ... Now I will try to install the IPsec certificates on both client ...
    (microsoft.public.windows.server.active_directory)
  • Code Signing Cert not trusted?
    ... I have a Windows 2003 Standard Server installed as an Enterprise CA in my root domain. ... I have granted my user account a Code Signing certificate and successfully signed an Excel macro. ... I have verified that on my workstation the Enterprise CA is indeed in the Trusted Publishers store (this is replicated to all machines in our domain) and the certificate is valid on the CA. ...
    (microsoft.public.windows.server.security)
  • Re: Issuing Certificates
    ... Can you verify that the issued certificates are for other DC machines in the ... domain will try to obtain the certificate. ... > I have installed an enterprise CA on my DC. ... I have about 5 certs. ...
    (microsoft.public.win2000.security)
  • Re: Issuing Certificates
    ... Can you verify that the certificates issued are for other DC machines? ... As soon as an enterprise CA comes online in a domain, ... > domain security policy and added the CA certificate to the "trusted root ... I have about 5 certs. ...
    (microsoft.public.win2000.security)
  • Re: Issuing Certificates
    ... I have installed an enterprise CA on my DC. ... domain security policy and added the CA certificate to the "trusted root ... I have about 5 certs. ... Are from other machines in the ...
    (microsoft.public.win2000.security)