Re: Certificate Question

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 08/25/04

Next message: Roger Abell: "Re: are ASPNET and IUSR_Machinename accounts part of NT Authority\Anonymous logon group?"
Previous message: Shawn Corey [MSFT]: "Re: Certificate Question"
In reply to: Shawn Corey [MSFT]: "Re: Certificate Question"
Next in thread: Paul Adare - MVP - Microsoft Virtual PC: "Re: Certificate Question"
Reply: Paul Adare - MVP - Microsoft Virtual PC: "Re: Certificate Question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 25 Aug 2004 01:37:03 +0200

Hi Shawn,

Thanks for the update.

One option would also be to look on your system for *.crl files and delete
the ones with name of internal CA server, though even this option is not
100% reliable...

Mike

"Shawn Corey [MSFT]" <shawncor@online.microsoft.com> wrote in message
news:eNd0QwiiEHA.536@TK2MSFTNGP11.phx.gbl...
> Just clearing the Temporary Internet files may not be enough to clear out
> the cached CRL, these can be stored in many places so tracking down the
> right one is very difficult. You may get clients that do not get a new CRL
> till the old one expires. Setting up Delta CRLs is a great way of getting
a
> quicker revocation if that is a necessity.
>
> --
> Thanks,
> Shawn
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>
> "Miha Pihler" <mihap-news@atlantis.si> wrote in message
> news:etxJ%23jiiEHA.3664@TK2MSFTNGP12.phx.gbl...
> > Hi Nancy,
> >
> > Client can use any cached CRL as long as it is valid. You can erase it
by
> > purging temporary Internet files. This will ensure that clients checks
for
> > new one... The other thing you can do is design your Base and Delta CRL
> > interval to your needs.
> >
> > There is no harm in deleting certificate that was revoked, but it is not
a
> > must either. Imagine this was on a laptop and out of the office and user
> > got
> > fired. You don't have access to the laptop so you can't erase it.
> >
> > Once the client (PC) gets new CRL it will not allow use of that
> > certificate
> > any more. You can also remove old or revoked certificate with group
> > policy.
> > Open group policy at any level that you like (domain or OU) and under
> > users
> > settings -> Windows Settings -> open security settings -> Public Key
> > Policies -> Autoenrollment Settings...
> >
> > I hope this helps,
> >
> > Mike
> >
> > "Nancy Kafer" <nkafer@homesteaderslife.com> wrote in message
> > news:%23k8UmkhiEHA.1040@TK2MSFTNGP09.phx.gbl...
> >> I have issued several certificates for our remote users (on Win2K3 Ent
> >> Server). I have configured the CRL distribution points and everything
> >> appears to be fine. I have a couple of basic questions:
> >>
> >> I need to revoke a certificate because a user has left the company. I
> >> went
> >> into the Certificate Authority on the Issuing CA and revoked the
> >> certificate, republished the CRLs to the distribution points.
> >>
> >> 1) How can I make sure that the client machine is using the most recent
> > CRL?
> >> 2) Should the certificate that was revoked be delete from the machine?
> > Once
> >> the certificate has been revoked I would like to make sure the client
> >> machine receives the CRL and deletes the certificate from the local
> > computer
> >> store. Seems to me at one point I saw a place to configure the deletion
> >> of
> > a
> >> revoked certificate from the client machine but I can't seem to find it
> > now.
> >> Can anyone help me out?
> >>
> >> Thanks.
> >>
> >>
> >
> >
>
>

Next message: Roger Abell: "Re: are ASPNET and IUSR_Machinename accounts part of NT Authority\Anonymous logon group?"
Previous message: Shawn Corey [MSFT]: "Re: Certificate Question"
In reply to: Shawn Corey [MSFT]: "Re: Certificate Question"
Next in thread: Paul Adare - MVP - Microsoft Virtual PC: "Re: Certificate Question"
Reply: Paul Adare - MVP - Microsoft Virtual PC: "Re: Certificate Question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Certificate revokation
... Is there a way to revoke a certificate and that the revokation will be ... > delta CRL that can be published every few hours with only the changes ... As long as it is valid clients can cache it and use ...
(microsoft.public.windows.server.security)
Re: Offline Smart Card Logon
... smartcard logon, when performed offline, DOES NOT perform a revocation check ... > that those mobile clients are NOT connected to any network. ... > expired CRL in their cache. ... >> want to check validity of issued certificate if you will exchange signed ...
(microsoft.public.windows.server.security)
Re: Thawte Digital Certificate Revocation List Issue
... > I am new to digital certificates and cannot get the Thawte certificate ... It's been awhile since I played with the Thawte certificates. ... Microsoft requires the cert ... CRL so Outlook doesn't know where to get ...
(microsoft.public.security)
Re: Newbie wants to learn about PKI Server 2003......
... 2003 PKI Certificate Security", and have been lurking here for a bit. ... We will implement a 2 tier heirarchy, with the Root CA being offline. ... All clients that attempt revocation checking will first attempt to retrieve the CRL from the ... level below a self-signed cert, so applications that are 3280 compliant would never check the ...
(microsoft.public.windows.server.security)
Help PKI installation - lots of questions !
... One STAND ALONE ROOT CA called SACAMX00 (SA stand for Stand Alone, ... AMERICAS Sub & CA ASIA Sub ... Client use this to find Delta CRL ... publish my CRL again even if no certificate are revoked? ...
(microsoft.public.security)