locked
DirectAccess 2012 and CRL publish RRS feed

  • Question

  • Hi, is it possible or recommended to publish internal PKI's CRL through 2012 DA server ?

    Haven't found any documents, but with edge configuration and applying an additional ip address to a new IIS site and creating appropriate rules to windows firewall it could be done ?

    thanks,

    Monday, May 27, 2013 6:40 AM

Answers

  • Hi

    Technically speaking, a CRL is valid until expiration. So if your DirectAccess clients have a valid CRL in cache, there is no problem. With OCSP, it's a little bit tricky because revocation checking is performed online. As long as you have a valid CRL, IPHTTPS protocol will work.

    Now CRL publishing. It's a simple HTTP URL, so you can publish it. You just have to include it is the CDP on your ADCS and generate your IPHTTPS certificate. Otherwise, your certificate wont include your publi CDP and you will not able to perform CRL checking.  If you have a doubt about your CRL publication, just use the CETRUTIL.EXE -URL <URL of public CDP> or activate the CAPI2 event log on your client computer.

    By design, you can use your URA server to publish a CRL (IIS is already installed). You just have to create a share and allow your ADCS server to publish CRL at this location.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Marked as answer by oraat Monday, May 27, 2013 11:30 AM
    Monday, May 27, 2013 11:10 AM

All replies

  • Hello,

    Yes through DirectAccess the client could access to the internel PKI CRL.


    Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) : http://security.sakuranohana.fr/

    Monday, May 27, 2013 7:37 AM
  • Hi,

    I'm not saying your suggestion does not work but are you sure this is the right way  ?

    I think the CRL should be available BEFORE DirectAccess client makes DA connection ?

    Like in any other SSL service, you check the crl first, only after that you make the SSL connection. (based on if the certificate is still valid)

    thanks,

    oraat


    • Edited by oraat Monday, May 27, 2013 7:51 AM
    Monday, May 27, 2013 7:50 AM
  • I'd say "it depends". Your initial post does not give all the details.

    Are you using an internal certficate for IP-HTTPS? If yes, then you need the CRL to be published.

    If no (e.g. you have bought a cert from Verisign, Thawte etc), then I'd say no, it is not necessary. The client will do CRL checks as needed when connected. It is not needed for the connection process. To add to that, I am not a fan of exposing more than necessary publically.


    Hth, Anders Janson Enfo Zipper

    Monday, May 27, 2013 8:30 AM
  • Hi,

    Yes, i'm using internal certificates, otherwise this would not be even a relevant question.

    Public CAs have their own crl CDP's, so we don't need our own crl CDP.

    I think the client will do the certificate check when it's crl cache is expired not as needed.

    If client had expired crl list for some reason, I think it could not connect with IPHTTPS if client cannot reach crl, which in your suggestion would be obtained _after_ DA connection is up.

    thanks,

     oraat

    Monday, May 27, 2013 9:11 AM
  • Hi

    Technically speaking, a CRL is valid until expiration. So if your DirectAccess clients have a valid CRL in cache, there is no problem. With OCSP, it's a little bit tricky because revocation checking is performed online. As long as you have a valid CRL, IPHTTPS protocol will work.

    Now CRL publishing. It's a simple HTTP URL, so you can publish it. You just have to include it is the CDP on your ADCS and generate your IPHTTPS certificate. Otherwise, your certificate wont include your publi CDP and you will not able to perform CRL checking.  If you have a doubt about your CRL publication, just use the CETRUTIL.EXE -URL <URL of public CDP> or activate the CAPI2 event log on your client computer.

    By design, you can use your URA server to publish a CRL (IIS is already installed). You just have to create a share and allow your ADCS server to publish CRL at this location.


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Marked as answer by oraat Monday, May 27, 2013 11:30 AM
    Monday, May 27, 2013 11:10 AM
  • >By design, you can use your URA server to publish a CRL (IIS is already installed).

    This is just the information I needed. I have a http CDP already in certificates.

    Thanks !

    Monday, May 27, 2013 11:30 AM