Re: Stand Alone CA Problem
From: Brian Komar (bkomar@komarconsulting.com)
Date: 08/14/02
- Next message: Brian Komar: "Re: Security in VPN"
- Previous message: Richard Smith: "Re: *Completely* silent IE Patch distributions"
- In reply to: Shreeniwas Kelkar [MS]: "Re: Stand Alone CA Problem"
- Next in thread: Scott Schreckengaust: "Re: Stand Alone CA Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Brian Komar <bkomar@komarconsulting.com> Date: Tue, 13 Aug 2002 22:37:02 -0500
In article <eK2A$ZhQCHA.3664@tkmsftngp11>, srkelkar@online.microsoft.com
says...
> This is almost always caused by network latency. OutlookXP cannot download
> the CRL from the CDP fast enough and times out.
>
> Unless the CRL is valid for a very long time (which is normally a bad
> security decision), your fix below is temporary. As soon as the CRL expires,
> this behavior with reappear. If you use LDAP URLs instead of HTTP, the
> download is usually many times faster. There are also a few settings
> available around CRL download behavior and you should find all the details
> in the documentation.
>
> --
> Shreeniwas Kelkar,
> Microsoft Corp.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Use of any included samples is subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm"
> --
> "kuwatog" <agbuenaventura@iremit-inc.com> wrote in message
> news:ewS9g4FQCHA.2524@tkmsftngp11...
> > To solve this problem, I downloaded the Certificate Revocation List of my
> CA
> > and imported it in my certificate store.
> >
> > "kuwatog" <agbuenaventura@iremit-inc.com> wrote in message
> > news:emAQnoOPCHA.2416@tkmsftngp09...
> > > I installed a Standalone CA for my 70++-users win2000
> > > local area network without any hitch. Users use OutlookXP
> > > as mail client. Mail encyrption and signing works well.
> > > However when I open security properties of an
> > > encrypted&signed mail, I see a warning message "The
> > > Certificate Revocation List needed to verify the signing
> > > certificate is either unavailable or it has expired."
> > > Besides, for the signing certificate message it says "This
> > > certificate is OK!" under the root CA. In the Edit Trust
> > > part "Inherit trust from the issuer" seems to be chosen.
> > > Why do I see this warning message? I wonder is there
> > > anythnig wrong with the CDP points, but it also seems ok,
> > > clients can query the CRL using HTTP. I think, I
> > > shouldn't have to select "Explicitly trust this
> > > certificate" for each certificate. Since I trust my root
> > > CA, to select "inherit trust from the issuer" is expected
> > > to work fine.
> > >
<snip>
Hi,
You need to modify the CDP extensions for issued certificates in the
properties of the Standalone CA in the Certification Authority console.
This will then place the CDP extension in all issued certificates from
that point on (so you will have to redeploy the certs for the existing
users).
When publishing, you should include both LDAP and HTTP URLs and then
ensure that the CDP is available at both locations.
For details on performing the publication, see the Troubleshooting
Certificate Status and Revocation whitepaper at:
http://www.microsoft.com/technet/security/prodtech/tshcrl.asp
Look at the walkthroughs at the end of the paper that will provide the
correct LDAP paths for the CDP and recommendations for the HTTP URLs.
Also be sure to publish the CRL into AD by using the Windows XP versions
of certutil.
Certutil -dspublish -f <CRLfilename>
You may also have to publish the standalone root CA cert into the
trusted root store. Again, you will have to modify the AIA extensions to
include the proper paths. To publish the certificate as a trusted root
CA, use CERTUTIL -f -dspublish <CACertfilename> RootCA.
HTH,
Brian
- Next message: Brian Komar: "Re: Security in VPN"
- Previous message: Richard Smith: "Re: *Completely* silent IE Patch distributions"
- In reply to: Shreeniwas Kelkar [MS]: "Re: Stand Alone CA Problem"
- Next in thread: Scott Schreckengaust: "Re: Stand Alone CA Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
