Third party CRL checking question
hello
i'm trying troubleshoot revocation checking issue involving third party crl. i don't understand enough how imported third party crl supposed work i'm not able troubleshoot efficiently.
there's 1 ca (windows 2003 single tier enterprise ca) i've imported third party crls to intermediate certificate authorities' local computer (physical store) show under intermediate certificate authorities' certificate revocation lists when viewed using certificate services mmc. of course imported third party's root ca cert (trusted root) and issuing ca cert (ntauth) to our ca.
- after having imported third party crls, published ad domain's cdp when clients (smartcard logon) need check third party crl i've imported, can or need manually publish them to the cdp?
i noticed when checking domain's crl, its' 1 file named caname.crl , revocation list tab doesn't seem contain third party crls i've imported recent dates show july i've imported crls until last week.
- when go client , login client user check personal certificate (for smartcard logon) issued, details tab's crl distribution point points external third party's website , not our domain's distribution point. how it's supposed be? what's point of having import crls our ca if it's going go out external site to check crl , not our domain's cdp?
i'm trying troubleshoot revocation checking issue involving third party crl. i don't understand enough how imported third party crl supposed work i'm not able troubleshoot efficiently.
there's 1 ca (windows 2003 single tier enterprise ca) i've imported third party crls to intermediate certificate authorities' local computer (physical store) show under intermediate certificate authorities' certificate revocation lists when viewed using certificate services mmc. of course imported third party's root ca cert (trusted root) and issuing ca cert (ntauth) to our ca.
- after having imported third party crls, published ad domain's cdp when clients (smartcard logon) need check third party crl i've imported, can or need manually publish them to the cdp?
i noticed when checking domain's crl, its' 1 file named caname.crl , revocation list tab doesn't seem contain third party crls i've imported recent dates show july i've imported crls until last week.
- when go client , login client user check personal certificate (for smartcard logon) issued, details tab's crl distribution point points external third party's website , not our domain's distribution point. how it's supposed be? what's point of having import crls our ca if it's going go out external site to check crl , not our domain's cdp?
you combining 2 separate processes , confusing two: chain building vs revocation checking
for chain building, chain built available certificate stores.
- adding cas trusted root store , intermediate stores in ad allow 2000+ clients build trusted chains forest root ca.
- adding issuing ca of foreign chain allow smart card logon certificates ca (or web authentication certificates)
but, cannot overrider revocation publication point crl. still going read certificates, , use cdp extension in certificate. remember certificate signed object , crl location going read cdp.
that being said, windows vista or windows 7 client, possible have client go ocsp responder designate via group policy. can add ca certificate (root or intermediate) relevant gpo (root cas or intermediate cas), , designate custom ocsp responder use.
brian
for chain building, chain built available certificate stores.
- adding cas trusted root store , intermediate stores in ad allow 2000+ clients build trusted chains forest root ca.
- adding issuing ca of foreign chain allow smart card logon certificates ca (or web authentication certificates)
but, cannot overrider revocation publication point crl. still going read certificates, , use cdp extension in certificate. remember certificate signed object , crl location going read cdp.
that being said, windows vista or windows 7 client, possible have client go ocsp responder designate via group policy. can add ca certificate (root or intermediate) relevant gpo (root cas or intermediate cas), , designate custom ocsp responder use.
brian
Windows Server > Security
Comments
Post a Comment