Re: CAn CRL and GPO
- From: Brian Komar [MVP] <bkomar@xxxxxxxxxxxxxxxxx>
- Date: Sat, 25 Feb 2006 19:25:41 -0600
In article <#CEz1MFOGHA.3284@xxxxxxxxxxxxxxxxxxxx>, emouchet@xxxxxxxx
says...
Hi,I am not sure why a standalone CA would be needed for security reasons,
I have just installed a stand-alone CA. For security, it is a stand alone
server. not integrated in my local domain.
Domain users use outlook (2000, XP, and 2003) as mailer software.
Is there a way to force Outlook to consult the CRL, published by ma
stand-alone CA.
Can I publish revocated certificates in my Active Directory or in share
directory ?
Can I use GPO ?
thanks for your help.
fabrice
but...
You can publish the CRL for a standalone CA to both web and LDAP
locations, it just is not automatic as with an enterprise CA.
- To publish the CRL to Active Directory, use:
certutil -dspublish -f <CRL file> RootCA
- To publish to a web site, just use any copy protocol to copy it to the
web folder location
You must also configure the CDP and AIA extensions at the standalone CA
so that the paths are included in all certificates issued by the CA>
You do not configure Outlook to look for the CRL per se. You must enable
CRL checking in Outlook. To do this, set the UseCRLChasing registry key
at each client to a value of 1 (which is the default):
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security
Value: "UseCRLChasing"
This DWORD value can be modified with the following values to determine
the behavior of the Outlook client software:
0 = While online, check for Certificate Revocation
1 = Check for Certificate Revocation, even when offline (this is the
default value)
2 = Never check for Certificate Revocation
Brian
.
- References:
- CAn CRL and GPO
- From: fabrice
- CAn CRL and GPO
- Prev by Date: Re: w32.spybot.worm
- Next by Date: bmss.exe running on boot
- Previous by thread: Re: CAn CRL and GPO
- Next by thread: Local authentication errors on Windows 2003 Server
- Index(es):
Relevant Pages
|
