none
about "revocation check for certificate failed"

    Question

  • When I used Win7 to access the UAG portal, a pop up alert said "a revocation check for certificate failed the revocation server might not be available". I think it was the problem of CRL, but how can I set it? Should I publish the CRL to the Public?

    The Server is Win2008SP1 & UGA SP1

    THX

    Wednesday, September 07, 2011 8:03 AM

Answers

  • If you want to use a private PKI for your certificates, you can use UAG to publish the CRL.  Tarun Sachdeva wrote a really nice guide for that published at Tom Shinder's blog below.

    http://blogs.technet.com/b/tomshinder/archive/2010/08/03/how-to-configure-uag-to-publish-your-private-certificate-revocation-list.aspx

    However, you should note that the only computers that will trust these certificates by default are going to be computers that are members of the same domain as the server that issued the certificates (unless you import the issuing CA's certificate to the remote computer's certificate store).  This means if you are trying to publish applications to people that will be accessing them from computers outside their domain, like their own personal computers at home for example, they will not trust the certificate.  If you are only publishing the apps for people that are using domain member computers, for example a company owned laptop, then they will trust the certificate as long as it can validate the certificate against the CRL.

    For those reasons, it's generally better to use a 3rd Party certificate that is already trusted by windows computers and have their own CRL published.  Personally I like DigiCert.com for public wildcard certificates to use with UAG.  They are trusted and inexpensive.  Even Facebook uses them for their https site.


    MrShannon | Concurrency Blogs | UAG SP1 DirectAccess Configuration Guide
    • Proposed as answer by MrShannonMVP Wednesday, September 07, 2011 2:15 PM
    • Marked as answer by cookie king Wednesday, September 21, 2011 6:05 AM
    Wednesday, September 07, 2011 2:15 PM

All replies

  • Hi Cookie King,

    i'd like to recommend you to use a public SSL Certificate (from a Trustcenter of your choice). Everything else is most likely to complex, expensive (time=money) and in addition very user unfriedly.

    If you nevertheless want to use your internal PKI for UAG portal access, then you have to make sure the internal CRLs are accessible over the internet. Using a dedicated Trunk (CRLs are accessed anonymously) may be an option for you. But also feel free to place the CRLs (ans sync them frequently) on a external Webserver of your choice. All what have to match in this case is the CRL download location (HTTP URL) specified in your SSL certs...

    -Kai

    Wednesday, September 07, 2011 8:15 AM
  • If you want to use a private PKI for your certificates, you can use UAG to publish the CRL.  Tarun Sachdeva wrote a really nice guide for that published at Tom Shinder's blog below.

    http://blogs.technet.com/b/tomshinder/archive/2010/08/03/how-to-configure-uag-to-publish-your-private-certificate-revocation-list.aspx

    However, you should note that the only computers that will trust these certificates by default are going to be computers that are members of the same domain as the server that issued the certificates (unless you import the issuing CA's certificate to the remote computer's certificate store).  This means if you are trying to publish applications to people that will be accessing them from computers outside their domain, like their own personal computers at home for example, they will not trust the certificate.  If you are only publishing the apps for people that are using domain member computers, for example a company owned laptop, then they will trust the certificate as long as it can validate the certificate against the CRL.

    For those reasons, it's generally better to use a 3rd Party certificate that is already trusted by windows computers and have their own CRL published.  Personally I like DigiCert.com for public wildcard certificates to use with UAG.  They are trusted and inexpensive.  Even Facebook uses them for their https site.


    MrShannon | Concurrency Blogs | UAG SP1 DirectAccess Configuration Guide
    • Proposed as answer by MrShannonMVP Wednesday, September 07, 2011 2:15 PM
    • Marked as answer by cookie king Wednesday, September 21, 2011 6:05 AM
    Wednesday, September 07, 2011 2:15 PM