Re: Certificate Question

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 08/25/04 

Date: Wed, 25 Aug 2004 00:23:29 +0200

Hi Nancy,

Client can use any cached CRL as long as it is valid. You can erase it by
purging temporary Internet files. This will ensure that clients checks for
new one... The other thing you can do is design your Base and Delta CRL
interval to your needs.

There is no harm in deleting certificate that was revoked, but it is not a
must either. Imagine this was on a laptop and out of the office and user got
fired. You don't have access to the laptop so you can't erase it.

Once the client (PC) gets new CRL it will not allow use of that certificate
any more. You can also remove old or revoked certificate with group policy.
Open group policy at any level that you like (domain or OU) and under users
settings -> Windows Settings -> open security settings -> Public Key
Policies -> Autoenrollment Settings...

I hope this helps,

Mike

"Nancy Kafer" <nkafer@homesteaderslife.com> wrote in message
news:%23k8UmkhiEHA.1040@TK2MSFTNGP09.phx.gbl...
> I have issued several certificates for our remote users (on Win2K3 Ent
> Server). I have configured the CRL distribution points and everything
> appears to be fine. I have a couple of basic questions:
>
> I need to revoke a certificate because a user has left the company. I went
> into the Certificate Authority on the Issuing CA and revoked the
> certificate, republished the CRLs to the distribution points.
>
> 1) How can I make sure that the client machine is using the most recent
CRL?
> 2) Should the certificate that was revoked be delete from the machine?
Once
> the certificate has been revoked I would like to make sure the client
> machine receives the CRL and deletes the certificate from the local
computer
> store. Seems to me at one point I saw a place to configure the deletion of
a
> revoked certificate from the client machine but I can't seem to find it
now.
> Can anyone help me out?
>
> Thanks.
>
>

Relevant Pages

  • Re: Certificate revokation
    ... Is there a way to revoke a certificate and that the revokation will be ... > delta CRL that can be published every few hours with only the changes ... As long as it is valid clients can cache it and use ...
    (microsoft.public.windows.server.security)
  • Re: Problem with a smart card logon in the Domain A and Domain B
    ... the client PC. ... Check under Status column in GUI and in command line windows for any errors. ... > CRL that is defined in certificate and If it can't reach ... > CRL it will deny logon using smart card. ...
    (microsoft.public.security)
  • Re: Why doesnt IPSEC respect revoked certificates.
    ... You are probably seeing a cached CRL which is normal and expected behavior. ... > 1) Enterprise Certificate Authority, ... > 3) Created IPSEC Policies that require IPSEC for port 25 traffic- using ... > need to be on the Server and the Client - or else it doesn't work. ...
    (microsoft.public.win2000.security)
  • Re: Problems with CRL after renewal
    ... recognize a CRL as being authoritative for a given CA ... > Before renewal I could revoke any issued certificate and function> CertGetCertificateChain shows that it is revoked. ... > MSDN and support the CA Version extension and Authority Key Id extension. ...
    (microsoft.public.platformsdk.security)
  • Re: Certificate revokation
    ... > Is there a way to revoke a certificate and that the revokation ... The revocation will be in effect when you issue the first CRL after ...
    (microsoft.public.windows.server.security)