none
CRL check for certificate based authentication RRS feed

  • Question

  • Hi,

    could it be that UAG (respectively IIS 7.5) does not check the CRL of a authentication certificate (either Smart card or other) by default?

    Best regards

    Thomas

    Thursday, November 11, 2010 8:38 AM

Answers

  • Hi Thomas,

    Have you made any progress on this?

    If not, sorry to ask the obvious, but is the client certificate revocation verification enabled?To check that, please execute the following:
    netsh http show sslcert ipport=nnn.nnn.nnn.nnn:443
    and replace nnn.nnn.nnn.nnn with your trunk’s IP address. Check out the Verify Client Certificate Revocation value in the output of the above command.

    Regards,


    -Ran
    Thursday, November 25, 2010 10:47 AM

All replies

  • Hi Thomas,

    Are you sure that the CRL has not been already downloaded by IIS before a certificate has been revoked, and since the CRL is still valid, IIS does not fetch a new one?

    Regards,


    -Ran
    Thursday, November 11, 2010 10:22 AM
  • Hi Ran,

    I have checked with certutil -URLCache crl on the UAG, there is no cached CRL (only one from MS Update). On IAG 2007 this seems to work (I have an older machine with the same configuration where I have just checked it). In TMG log I cannot see any requests (HTTP or LDAP) trying to retrieve the CRL from one of the CDPs.

    Best regards

    Thomas

    Thursday, November 11, 2010 11:08 AM
  • Hi Thomas,

    Have you made any progress on this?

    If not, sorry to ask the obvious, but is the client certificate revocation verification enabled?To check that, please execute the following:
    netsh http show sslcert ipport=nnn.nnn.nnn.nnn:443
    and replace nnn.nnn.nnn.nnn with your trunk’s IP address. Check out the Verify Client Certificate Revocation value in the output of the above command.

    Regards,


    -Ran
    Thursday, November 25, 2010 10:47 AM
  • Hi Ran,

    just got time to verify it in my demo environment:

    SSL Certificate bindings:
    ------------------------

        IP:port                 : 128.1.0.82:443
        Certificate Hash        : 20456fec2d60fc5718ebd56286cb5576e54026e6
        Application ID          : {4dc3e181-e14b-4a21-b022-59fc669b0914}
        Certificate Store Name  : MY
        Verify Client Certificate Revocation    : Enabled
        Verify Revocation Using Cached Client Certificate Only    : Disabled
        Usage Check    : Enabled
        Revocation Freshness Time : 0
        URL Retrieval Timeout   : 0
        Ctl Identifier          : (null)
        Ctl Store Name          : (null)
        DS Mapper Usage    : Disabled
        Negotiate Client Certificate    : Disabled

    I checked the CRL Cache with certutil but no CRL was retrieved.

    Any further ideas?

    Best regards

    Thomas

    Thursday, December 2, 2010 10:27 AM
  • Hi Ran,

    i did some more investigations on this. One thing I forgot is to publish the CRL ;-) At some point I got the revocation working (i.e. my revoked certificate was rejectec) however I did some more testing and I could not really reproduce the behaviour. Every time I try to access the UAG site with a revoked certificate I get access. I tried to delete the CRLs and to decrease the Revocation Freshness Time but I still can access it.

    Best regards

    Thomas

    Monday, December 6, 2010 1:25 PM
  • Finally the revocation worked. I am still not able to verify when the CRL is accessed even when I delete the local CRL cache it is not accessed. Maybe the trigger is something else. Anyway I guess it works as designed. I would wish for some more transparency though.

    Monday, December 6, 2010 3:30 PM