Re: revoking ipsec certificate doesn't work

From: Franz Schenk (franz.schenkNOSPAM_at_fititNO-_SPAM.ch)
Date: 09/26/05 

Date: Mon, 26 Sep 2005 11:15:54 +0200

Hi Brian

Thank you very much for your help! Your whitepaper explains the whole matter
to me, although this paper is hard to find: A search on MS Technet with the
keywords "certificate revocation" reveals your whitpaper at position thirty
or so.

Some points are not clear to me. You write in your paper:
"Internet Protocol Security (IPSec)
CRL checking is not enabled by default in Windows 2000. With the release of
Windows 2000 SP2, an additional registry key was added that can enable CRL
checking for IPSec certificate-based authentication."

- Is my understanding and my expericence correct, that IPSec CRL checking is
not enabled by default also with Windows XP and with Windows XP SP2? At
least on my test machine, the registry key you mentioned is not present by
default.

- Is my conclusion correct, that certificate revocation in combination with
IPSec doesn't work at all whithout distributing this registry key to all
client systems?

- Is the following also correct, that relying on certificate revocation in
an IPSec client server environment is wrong, when distributing certificates
to computers that are not member of the domain? (A malicous user with a
computer that does not belong to the domain can delete this registry key and
can use the certificate for IPSec VPN connections until the certificate is
expired)?

Thank you in advance for your help!
Franz

"Brian Komar [MVP]" <bkomar@nospam.identit.ca> schrieb im Newsbeitrag
news:MPG.1d9e818bc33d44a69896ad@msnews.microsoft.com...
> In article <OC33ceEwFHA.3864@TK2MSFTNGP12.phx.gbl>,
> franz.schenkNOSPAM@fititNO-_SPAM.ch says...
>> Thank you for your information.
>>
>> It's possible to publish manually the update delta and full CRL using the
>> CA
>> MMC SnapIn on the Server. I also have verified that this CRL is published
>> in
>> AD and in a file.
>> Despite of that, my test VPN client (or the VPN server) never checks if
>> the
>> certificate using for the L2TP/IPSec connection is revoked or not. The
>> Win
>> XP SP2 client can establish the L2TP/IPSec VPN connection to the Windows
>> Server 2003 SP1 without any problem after the certificate is revoked
>> nearly
>> a week ago.
>>
> <snip>
> There are a couple of possibilities here:
> 1) did you enable CRL checking for IPSec. in my whitepaper on
> Certificate Status and Revocation, I include a section discussing CRL
> checking for IPSec connections. Ensure that you have enabled the
> following registry setting at both the client and the server (moreso the
> server in your case):
> - HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent
> \Oakley\
> StrongCrlCheck
>
> This Reg_DWORD data type can be assigned values from 0-2, with the
> following meanings:
>
> =3F 0 =3F Disables CRL checking for certificate-based IPSec authentication
>
> =3F 1 =3F Enables CRL checking and fails the validation process only if
> the
> CRL explicitly indicates that the certificate is revoked. All other
> failures, including when the CDP URL is unavailable, will be ignored.
>
> =3F 2 =3F Enables CRL checking and fails certificate validation on any CRL
> check errors.
>
> For maximum validation, set a value of 2, although a value of 1 would
> work in your case.
>
> 2) The second issue may be that you have not modified the default CRL
> publication interval. The default value is to publish the base CRL every
> 7 days. If you look at the troubleshooting whitepaper, you will see that
> a client will not download an updated CRL if a time valid CRL exists in
> the client's cache. The client will only download an updated CRL when
> the previous CRL expires from the cache (as per RFC 3280). For the
> details, see the whitepaper at
> http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl
> .mspx
>
> Brian
>

Relevant Pages

  • Re: Why doesnt IPSEC respect revoked certificates.
    ... You are probably seeing a cached CRL which is normal and expected behavior. ... > 1) Enterprise Certificate Authority, ... > 3) Created IPSEC Policies that require IPSEC for port 25 traffic- using ... > need to be on the Server and the Client - or else it doesn't work. ...
    (microsoft.public.win2000.security)
  • Re: Thawte Digital Certificate Revocation List Issue
    ... > I am new to digital certificates and cannot get the Thawte certificate ... It's been awhile since I played with the Thawte certificates. ... Microsoft requires the cert ... CRL so Outlook doesn't know where to get ...
    (microsoft.public.security)
  • Re: Newbie wants to learn about PKI Server 2003......
    ... 2003 PKI Certificate Security", and have been lurking here for a bit. ... We will implement a 2 tier heirarchy, with the Root CA being offline. ... All clients that attempt revocation checking will first attempt to retrieve the CRL from the ... level below a self-signed cert, so applications that are 3280 compliant would never check the ...
    (microsoft.public.windows.server.security)
  • Help PKI installation - lots of questions !
    ... One STAND ALONE ROOT CA called SACAMX00 (SA stand for Stand Alone, ... AMERICAS Sub & CA ASIA Sub ... Client use this to find Delta CRL ... publish my CRL again even if no certificate are revoked? ...
    (microsoft.public.security)
  • Re: Help PKI installation - lots of questions !
    ... One STAND ALONE ROOT CA called SACAMX00 (SA stand for Stand Alone, ... AMERICAS Sub & CA ASIA Sub ... Client use this to find Delta CRL ... publish my CRL again even if no certificate are revoked? ...
    (microsoft.public.security)