Re: Certificate Question
From: Nancy Kafer (nkafer_at_homesteaderslife.com)
Date: 08/25/04
- Next message: Paul Adare - MVP - Microsoft Virtual PC: "Re: Certificate Question"
- Previous message: Kevin D. Goodknecht Sr. [MVP]: "Re: Domain AUthentication Timeout Issue"
- In reply to: Lars Olaussen: "Re: Certificate Question"
- Next in thread: Paul Adare - MVP - Microsoft Virtual PC: "Re: Certificate Question"
- Reply: Paul Adare - MVP - Microsoft Virtual PC: "Re: Certificate Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 25 Aug 2004 08:20:25 -0500
Thanks to everyone for all of the input. I have Delta CRLs configured but we
are unable to use them because we are currently running Windows 2000
Professional on our laptops. The account in AD was already disabled so that
shouldn't be an issue and I tested yesterday to make sure the revoked
certificate wouldn't work. Everything should be locked out I just was
wanting to try to get this machine cleaned up ASAP so we can get it ready
for the next user.
Thanks again for the input/suggestions.
Nancy
"Lars Olaussen" <Isolauss@hotmail.com> wrote in message
news:uLaDqNniEHA.536@TK2MSFTNGP11.phx.gbl...
> "Nancy Kafer" <nkafer@homesteaderslife.com> wrote...
> > 1) How can I make sure that the client machine is
> > using the most recent CRL?
>
> Nancy,
>
> As others already have pointed out, this is almost
> impossible in Windows. And as I've stated in previous
> posting, you should lock the user account in Active
> Directory to be sure that the user is not granted access
> anymore (if this was the reason for making sure that
> the new CRL is used everywhere). The certificate is
> used for authentication, while AD (or other user db)
> shall provide authorization.
>
> You could also publish the certificate(s) to the "Untrusted
> Certificates" section of certificate store.
>
>
> > 2) Should the certificate that was revoked be delete
> > from the machine? Once the certificate has been
> > revoked I would like to make sure the client machine
> > receives the CRL and deletes the certificate from the
> > local computer store. Seems to me at one point I
> > saw a place to configure the deletion of a revoked
> > certificate from the client machine but I can't seem
> > to find it now. Can anyone help me out?
>
> There should be no need to remove a revoked
> certificate as long as it is not a root certificate (self signed).
>
> A revoked certificate can only be used if the system
> settings allows for it, and this should never be allowed.
> Unfortunately, many systems allows for certificates to
> be used without full certificate validation. So, make sure
> that CRL checking is performed on all client computers,
> servers, and users.
>
> Since MS has added support for Delta CRLs, this can,
> as also been mentioned already, be used to increase the
> (D)CRL publication frequency. But for most internal PKIs
> the CRL size will never be an issue, so publishing CRLs or
> Delta CRLs every few hours shouldn't make too much of
> a difference. But high issuing frequency is important and
> (D)CRLs should be published at least every day, if not
> several times a day, with a sufficient overlap to prevent
> from DoS caused by network/publication propagation
> delays.
>
>
> Regards,
> Lars Olaussen
> Isolauss@hotmail.com
>
>
- Next message: Paul Adare - MVP - Microsoft Virtual PC: "Re: Certificate Question"
- Previous message: Kevin D. Goodknecht Sr. [MVP]: "Re: Domain AUthentication Timeout Issue"
- In reply to: Lars Olaussen: "Re: Certificate Question"
- Next in thread: Paul Adare - MVP - Microsoft Virtual PC: "Re: Certificate Question"
- Reply: Paul Adare - MVP - Microsoft Virtual PC: "Re: Certificate Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
