Re: Stand Alone CA Problem

From: Shreeniwas Kelkar [MS] (srkelkar@online.microsoft.com)
Date: 08/12/02 

From: "Shreeniwas Kelkar [MS]" <srkelkar@online.microsoft.com>
Date: Mon, 12 Aug 2002 08:40:51 -0700

This is almost always caused by network latency. OutlookXP cannot download
the CRL from the CDP fast enough and times out.

Unless the CRL is valid for a very long time (which is normally a bad
security decision), your fix below is temporary. As soon as the CRL expires,
this behavior with reappear. If you use LDAP URLs instead of HTTP, the
download is usually many times faster. There are also a few settings
available around CRL download behavior and you should find all the details
in the documentation. 

--
Shreeniwas Kelkar,
Microsoft Corp.
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included samples is subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm"
--
"kuwatog" <agbuenaventura@iremit-inc.com> wrote in message
news:ewS9g4FQCHA.2524@tkmsftngp11...
> To solve this problem, I downloaded the Certificate Revocation List of my
CA
> and imported it in my certificate store.
>
> "kuwatog" <agbuenaventura@iremit-inc.com> wrote in message
> news:emAQnoOPCHA.2416@tkmsftngp09...
> > I installed a Standalone CA for my 70++-users win2000
> > local area network without any hitch. Users use OutlookXP
> > as mail client. Mail encyrption and signing works well.
> > However when I open security properties of an
> > encrypted&signed mail, I see a warning message "The
> > Certificate Revocation List needed to verify the signing
> > certificate is either unavailable or it has expired."
> > Besides, for the signing certificate message it says "This
> > certificate is OK!" under the root CA. In the Edit Trust
> > part "Inherit trust from the issuer" seems to be chosen.
> > Why do I see this warning message? I wonder is there
> > anythnig wrong with the CDP points, but it also seems ok,
> > clients can query the CRL using HTTP. I think, I
> > shouldn't have to select "Explicitly trust this
> > certificate" for each certificate. Since I trust my root
> > CA, to select "inherit trust from the issuer" is expected
> > to work fine.
> >
> > Are there also any special procedures in publishing the CRL using an
ISA2K
> > server?
> > The reason I asked this is because I will be issuing email certificates
to
> > users outside our win2k domain.
> >
> > ANY comments&feedbacks will be greatly appreciated .
> >
> >
>
>

Relevant Pages

  • Re: Stand Alone CA Problem
    ... > the CRL from the CDP fast enough and times out. ... > download is usually many times faster. ... >> and imported it in my certificate store. ...
    (microsoft.public.win2000.security)
  • Re: Stand Alone CA Problem
    ... you download the Internet Explorer 5.5 SP2. ... but I DO want the certificate to be checked against a CRL. ... > thus avoiding the warning message altogether. ...
    (microsoft.public.win2000.security)
  • Re: Problem in running .Net Service on a Quad Processor
    ... A simple solution to the CRL check overhead is to use authenticode ... I set the value of the registry value 'State' under the following ... Are you running/loading Certificate assigned assemblies? ... you did disable the download of CRL's for the whole system. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: IAS + CRL Usage (PEAP/EAS etc)
    ... "IAS doesn't store the CRL, ... the metadata in a specific certificate can be modified to point ... we trust the CA - if I have a certificate signed ...
    (microsoft.public.windows.server.networking)
  • Re: Stand Alone CA Problem
    ... Microsoft Outlook 2002 SP-2 ... > you download the Internet Explorer 5.5 SP2. ... but I DO want the certificate to be checked against a CRL. ...
    (microsoft.public.win2000.security)