Re: Certificate revokation

s
Date: 09/12/04 

Date: Sun, 12 Sep 2004 12:17:56 +0200

Hi

Is there a way to revoke a certificate and that the revokation will be
immediately?

Than'x
Shay

"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:ecodViKmEHA.2884@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> How long it takes depends on configuration of your CRL publication
> configuration. If you left it at e.g. default value of 1 week then yes, it
> could take that long for all the clients to get revocation information
> about
> newly revoked certificates. Windows 2003 CA and Windows XP also support
> delta CRL that can be published every few hours with only the changes
> since
> last full CRL list was published.
>
> Even if you publish CRL manually, CRL has its "life time" and during this
> life time it is valid. As long as it is valid clients can cache it and use
> it -- this among other things allows clients to work off-line when they
> can't download new CRL. There is no 100% way to tell the client to go and
> get new CRL. You could try and erase cached CRL by deleting offline
> internet
> files, but like I said there is no 100% way to do it.
>
> Certificate revocation should not be your primary way to keep your users
> out
> of your systems. If you simply disable users account in e.g. domain, this
> will keep them out practically immediately
>
> Mike
>
> <s> wrote in message news:uw48eYKmEHA.2680@TK2MSFTNGP15.phx.gbl...
>> Hi
>>
>> I have installed CA server and issued certificates for the clients.
>>
>> Now I want to revoke some, how long wil the revoke will take place that
>> those users cannot logon to the network, can it take a Week?
>>
>> Tha'x
>> Shay
>>
>>
>
>

Relevant Pages

  • Re: Certificate Question
    ... Client can use any cached CRL as long as it is valid. ... The other thing you can do is design your Base and Delta CRL ... Once the client gets new CRL it will not allow use of that certificate ... > I need to revoke a certificate because a user has left the company. ...
    (microsoft.public.windows.server.security)
  • Re: Problems with CRL after renewal
    ... recognize a CRL as being authoritative for a given CA ... > Before renewal I could revoke any issued certificate and function> CertGetCertificateChain shows that it is revoked. ... > MSDN and support the CA Version extension and Authority Key Id extension. ...
    (microsoft.public.platformsdk.security)
  • Re: Certificate revokation
    ... > Is there a way to revoke a certificate and that the revokation ... The revocation will be in effect when you issue the first CRL after ...
    (microsoft.public.windows.server.security)
  • Re: Certificate Question
    ... You may get clients that do not get a new CRL ... > Client can use any cached CRL as long as it is valid. ... > There is no harm in deleting certificate that was revoked, ... >> I need to revoke a certificate because a user has left the company. ...
    (microsoft.public.windows.server.security)
  • Re: Certificate Question
    ... > Just clearing the Temporary Internet files may not be enough to clear out ... You may get clients that do not get a new CRL ... >> There is no harm in deleting certificate that was revoked, ...
    (microsoft.public.windows.server.security)