Question on autoenrollment process with revoked certificate.
- From: aherugu <aherugu.2odfvf@xxxxxxxxxxxxx>
- Date: Sun, 1 Apr 2007 22:40:45 +0530
Hi all,
I work for VeriSign. I have an issue on autoenrollment which I need
your inputs on. I am not sure if this is the right forum to ask. But
being a new person I am not sure where to post this question (this is
my first post). It will be of great help if someone can answer here
and/or guide me to the right forum.
BACKGROUND INFORMATION
We have a VeriSign DCOM server which comes into picture during
autoenrollment. This manages the CAs, templates assigned to CAs, certs
issued, certs revoked etc. We have an MMC snap-in for this.
I am using Win2003 SP1 server and IE6 browser. I have setup
autoenrollment feature which is working fine for all regular cases. I
have a few certificates (based on the templates) issued to me through
the autoenrollment process. These certificates can be seen in the
issued certs area of our MMC snap-in (as refreshed / obtained from the
backend that issues certificates and stores the revoked, expired
certificates). These certificates are also installed in the CAPI store
and can be seen from IE.
PROBLEM DEFINITION
If I revoke one such certificate using the MMC snap-in, it gets revoked
at the backend and gets refreshed in the revoked certificate area of the
MMC snap-in also and also getting removed from the issued certificate
area. These areas are refreshed / obtained from the backend. I can also
see at the backend that this particular certificate is published in the
CRL list of the CA using which this certificate was issued in the first
place based on a particular template assigned to this CA. But this
certificate does not get removed from the CAPI store (on the client
side) and can still be seen from IE.
QUESTION
With the above mentioned setup, when I relogin at the client side, the
autoenrollment process doesn't kick in and does not request the backend
for a new certificate to be issued. But if I manually remove this
certificate from IE (CAPI store) and then relogin, the autoenrollment
process identifies that this certificate is not installed and requests
for a new certificate and get it too from the backend and installs it
too.
Is this an expected behaviour or is it a bug somewhere (policy or setup
or autoenrollment process or our snap-in). The reason I ask is since I
looked in the autoenrollment documentation on Microsoft site
(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx).
In the ?Revoked Certificates and Renewal? section they say this:
?Revoked certificates may not be renewed and may not be used to sign a
renewal request. This scenario is explicitly blocked by autoenrollment.
In this scenario, a user must perform a new manual enrollment request
instead of renewal.?
I personally thought that the autoenrollment process should
automatically kick in upon relogin since the certificate is no longer
in the issued certificate area. Not sure why this is not happening ? it
seems the right behaviour based on the Microsoft documentation. And
autoenrollment is happening upon relogin when I manually remove the
certificate from IE store though.
Can someone throw some light on this to help us understand the way
autoenrollment should behave with respect to what I have told?
Thanks in advance,
Ananth.
--
aherugu
------------------------------------------------------------------------
aherugu's Profile: http://forums.techarena.in/member.php?userid=24103
View this thread: http://forums.techarena.in/showthread.php?t=717555
http://forums.techarena.in
.
- Follow-Ups:
- Re: Question on autoenrollment process with revoked certificate.
- From: Paul Adare
- Re: Question on autoenrollment process with revoked certificate.
- Next by Date: Re: Question on autoenrollment process with revoked certificate.
- Next by thread: Re: Question on autoenrollment process with revoked certificate.
- Index(es):
Relevant Pages
|
|
