none
UAG with CRL's

    Question

  • Questions on CRLS for DA over UAG,

    1) If I have a public cert for IP-HTTPS connections I don;t need to expose a CRL to the internet?  Correct?

    2) UAG uses a dedicated network location server so it does not need a CRL on the intranet?  correct?

    3) The purpose of a CRL (with the above two conditions) would be for high avalibility with UAGs ability to authenticate client certs?

    4) Right now my client certs work fine for DA with the CRL distribution point bieng LDAP of CA.  Is this true?  Is there anything wrong with this solution?

    Thanks

    Tuesday, February 28, 2012 1:17 AM

All replies

  • Hi,

    Yes for the first point

    For the second point, it depend on how you configure your ADCS role. If installed in enterprise mode, CRL is available in Active Directory. By default, a CRL will be created on the ADCS server.

    Third point : Certificate revocation list is an information included in delivered certificates. We must provide high availability for this service.

    Fourth point : Yes it works. Best practices recommands to publish CRL to another location than the ADCS server


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    Tuesday, February 28, 2012 7:58 AM