Re: Certificate Question
From: Shawn Corey [MSFT] (shawncor_at_online.microsoft.com)
Date: 08/25/04
- Next message: Miha Pihler: "Re: Certificate Question"
- Previous message: Miha Pihler: "Re: Certificate Question"
- In reply to: Miha Pihler: "Re: Certificate Question"
- Next in thread: Miha Pihler: "Re: Certificate Question"
- Reply: Miha Pihler: "Re: Certificate Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 24 Aug 2004 15:45:17 -0700
Just clearing the Temporary Internet files may not be enough to clear out
the cached CRL, these can be stored in many places so tracking down the
right one is very difficult. You may get clients that do not get a new CRL
till the old one expires. Setting up Delta CRLs is a great way of getting a
quicker revocation if that is a necessity.
-- Thanks, Shawn This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Miha Pihler" <mihap-news@atlantis.si> wrote in message news:etxJ%23jiiEHA.3664@TK2MSFTNGP12.phx.gbl... > Hi Nancy, > > Client can use any cached CRL as long as it is valid. You can erase it by > purging temporary Internet files. This will ensure that clients checks for > new one... The other thing you can do is design your Base and Delta CRL > interval to your needs. > > There is no harm in deleting certificate that was revoked, but it is not a > must either. Imagine this was on a laptop and out of the office and user > got > fired. You don't have access to the laptop so you can't erase it. > > Once the client (PC) gets new CRL it will not allow use of that > certificate > any more. You can also remove old or revoked certificate with group > policy. > Open group policy at any level that you like (domain or OU) and under > users > settings -> Windows Settings -> open security settings -> Public Key > Policies -> Autoenrollment Settings... > > I hope this helps, > > Mike > > "Nancy Kafer" <nkafer@homesteaderslife.com> wrote in message > news:%23k8UmkhiEHA.1040@TK2MSFTNGP09.phx.gbl... >> I have issued several certificates for our remote users (on Win2K3 Ent >> Server). I have configured the CRL distribution points and everything >> appears to be fine. I have a couple of basic questions: >> >> I need to revoke a certificate because a user has left the company. I >> went >> into the Certificate Authority on the Issuing CA and revoked the >> certificate, republished the CRLs to the distribution points. >> >> 1) How can I make sure that the client machine is using the most recent > CRL? >> 2) Should the certificate that was revoked be delete from the machine? > Once >> the certificate has been revoked I would like to make sure the client >> machine receives the CRL and deletes the certificate from the local > computer >> store. Seems to me at one point I saw a place to configure the deletion >> of > a >> revoked certificate from the client machine but I can't seem to find it > now. >> Can anyone help me out? >> >> Thanks. >> >> > >
- Next message: Miha Pihler: "Re: Certificate Question"
- Previous message: Miha Pihler: "Re: Certificate Question"
- In reply to: Miha Pihler: "Re: Certificate Question"
- Next in thread: Miha Pihler: "Re: Certificate Question"
- Reply: Miha Pihler: "Re: Certificate Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
