Push out CRL with group policy
Question
Answers
-
Hi,
Thanks for your posting.
Certificate Revocation List (CRL) can update form URLs defined in certificate CRL Distribution Point (CDP). These URLs can be either HTTP, FTP, LDAP or FILE addresses, but these are all defined and set by Certificate Authority.
CRL has a validity period, in most of case this is a period of time form 12 hours to some months. You can check the “Next update” time form your .crl file. Double click your .crl file-->General-->Next update
Why we need CRL?
Revocation of a certificate invalidates a certificate as a trusted security credential prior to the natural expiration of its validity period. There are a number of reasons why a certificate, as a security credential, could become untrustworthy prior to its expiration. Examples include:Compromise, or suspected compromise, of the certificate subject's private key.
Compromise, or suspected compromise, of a certification authority's private key.
Discovery that a certificate was obtained fraudulently.
Change in the status of the certificate subject as a trusted entity.
Change in the name of the certificate subject.These reasons are all apply to a scenario you may don’t trust a certificate, but I think your workstations will always trust that purchased certificate until that certificate expires. And if one day you don’t need that certificate or you don’t trust that certificate, just remove or update it form your deployed application.
So for your current scenario, it’s no need and you can’t update that CRL for your offline (no internet connection) workstations.
For more information please refer to following MS articles:
Certificate revocation
http://technet.microsoft.com/en-us/library/cc739845(v=ws.10).aspx
Specify certificate revocation list distribution points in issued certificates
http://technet.microsoft.com/en-us/library/cc773036(v=ws.10).aspx
Revoking certificates and publishing CRLs
http://technet.microsoft.com/en-us/library/cc782162(v=WS.10).aspxLawrence
TechNet Community Support
All replies
-
Hi,
Thanks for your posting.
I think maybe you misunderstand certificates and certificates revocation list (CRL).
That certificate you get from VeriSign, of course it’s issued by VeriSign. That certificate is trusted automatically by all of your workstation, so it’s no need to deploy that certificate to your clients. Since MS system trust certificates issued by some well-known Certificate Authority (include VeriSign), all root certificates of these well-known CA are build-in in MS system.
You can check it: run mmc-->File-->Add/Remove Snap-in-->Certificate-->Add-->Computer Account-->Local computer-->Trusted Root Certification Authorities-->Certificates
Also it’s no need to push CRL for your clients. Double click your VeriSign certificate-->Details-->CRL Distribution Points-->URL
You can find a website URL, workstation will contact that URL to renew CRL if needed.
For more information please refer to following MS articles:
CA Maintenance
http://technet.microsoft.com/en-us/library/cc782041(v=WS.10).aspx
Certificate revocation
http://technet.microsoft.com/en-us/library/cc739845(v=ws.10).aspx
Revoking certificates and publishing CRLs
http://technet.microsoft.com/en-us/library/cc782162(v=WS.10).aspxHope this helps, any confusion or further questions please let us know.
Lawrence
TechNet Community Support
-
Hi,
Thanks for your posting.
Certificate Revocation List (CRL) can update form URLs defined in certificate CRL Distribution Point (CDP). These URLs can be either HTTP, FTP, LDAP or FILE addresses, but these are all defined and set by Certificate Authority.
CRL has a validity period, in most of case this is a period of time form 12 hours to some months. You can check the “Next update” time form your .crl file. Double click your .crl file-->General-->Next update
Why we need CRL?
Revocation of a certificate invalidates a certificate as a trusted security credential prior to the natural expiration of its validity period. There are a number of reasons why a certificate, as a security credential, could become untrustworthy prior to its expiration. Examples include:Compromise, or suspected compromise, of the certificate subject's private key.
Compromise, or suspected compromise, of a certification authority's private key.
Discovery that a certificate was obtained fraudulently.
Change in the status of the certificate subject as a trusted entity.
Change in the name of the certificate subject.These reasons are all apply to a scenario you may don’t trust a certificate, but I think your workstations will always trust that purchased certificate until that certificate expires. And if one day you don’t need that certificate or you don’t trust that certificate, just remove or update it form your deployed application.
So for your current scenario, it’s no need and you can’t update that CRL for your offline (no internet connection) workstations.
For more information please refer to following MS articles:
Certificate revocation
http://technet.microsoft.com/en-us/library/cc739845(v=ws.10).aspx
Specify certificate revocation list distribution points in issued certificates
http://technet.microsoft.com/en-us/library/cc773036(v=ws.10).aspx
Revoking certificates and publishing CRLs
http://technet.microsoft.com/en-us/library/cc782162(v=WS.10).aspxLawrence
TechNet Community Support
