Re: Certificate Question

From: Lars Olaussen (Isolauss_at_hotmail.com)
Date: 08/25/04 

Date: Wed, 25 Aug 2004 09:16:00 +0200

"Nancy Kafer" <nkafer@homesteaderslife.com> wrote...
> 1) How can I make sure that the client machine is
> using the most recent CRL?

Nancy,

As others already have pointed out, this is almost
impossible in Windows. And as I've stated in previous
posting, you should lock the user account in Active
Directory to be sure that the user is not granted access
anymore (if this was the reason for making sure that
the new CRL is used everywhere). The certificate is
used for authentication, while AD (or other user db)
shall provide authorization.

You could also publish the certificate(s) to the "Untrusted
Certificates" section of certificate store.

> 2) Should the certificate that was revoked be delete
> from the machine? Once the certificate has been
> revoked I would like to make sure the client machine
> receives the CRL and deletes the certificate from the
> local computer store. Seems to me at one point I
> saw a place to configure the deletion of a revoked
> certificate from the client machine but I can't seem
> to find it now. Can anyone help me out?

There should be no need to remove a revoked
certificate as long as it is not a root certificate (self signed).

A revoked certificate can only be used if the system
settings allows for it, and this should never be allowed.
Unfortunately, many systems allows for certificates to
be used without full certificate validation. So, make sure
that CRL checking is performed on all client computers,
servers, and users.

Since MS has added support for Delta CRLs, this can,
as also been mentioned already, be used to increase the
(D)CRL publication frequency. But for most internal PKIs
the CRL size will never be an issue, so publishing CRLs or
Delta CRLs every few hours shouldn't make too much of
a difference. But high issuing frequency is important and
(D)CRLs should be published at least every day, if not
several times a day, with a sufficient overlap to prevent
from DoS caused by network/publication propagation
delays.

Regards,
Lars Olaussen
Isolauss@hotmail.com

Relevant Pages

  • Re: Thawte Digital Certificate Revocation List Issue
    ... > I am new to digital certificates and cannot get the Thawte certificate ... It's been awhile since I played with the Thawte certificates. ... Microsoft requires the cert ... CRL so Outlook doesn't know where to get ...
    (microsoft.public.security)
  • Re: Newbie wants to learn about PKI Server 2003......
    ... 2003 PKI Certificate Security", and have been lurking here for a bit. ... We will implement a 2 tier heirarchy, with the Root CA being offline. ... All clients that attempt revocation checking will first attempt to retrieve the CRL from the ... level below a self-signed cert, so applications that are 3280 compliant would never check the ...
    (microsoft.public.windows.server.security)
  • Re: Certificate Question
    ... I have Delta CRLs configured but we ... certificate wouldn't work. ... > the new CRL is used everywhere). ... >> revoked I would like to make sure the client machine ...
    (microsoft.public.windows.server.security)
  • Help PKI installation - lots of questions !
    ... One STAND ALONE ROOT CA called SACAMX00 (SA stand for Stand Alone, ... AMERICAS Sub & CA ASIA Sub ... Client use this to find Delta CRL ... publish my CRL again even if no certificate are revoked? ...
    (microsoft.public.security)
  • Re: Help PKI installation - lots of questions !
    ... One STAND ALONE ROOT CA called SACAMX00 (SA stand for Stand Alone, ... AMERICAS Sub & CA ASIA Sub ... Client use this to find Delta CRL ... publish my CRL again even if no certificate are revoked? ...
    (microsoft.public.security)