Questions on CRLS for DA over UAG,
1) If I have a public cert for IP-HTTPS connections I don;t need to expose a CRL to the internet? Correct?
2) UAG uses a dedicated network location server so it does not need a CRL on the intranet? correct?
3) The purpose of a CRL (with the above two conditions) would be for high avalibility with UAGs ability to authenticate client certs?
4) Right now my client certs work fine for DA with the CRL distribution point bieng LDAP of CA. Is this true? Is there anything wrong with this solution?
Yes for the first point
For the second point, it depend on how you configure your ADCS role. If installed in enterprise mode, CRL is available in Active Directory. By default, a CRL will be created on the ADCS server.
Third point : Certificate revocation list is an information included in delivered certificates. We must provide high availability for this service.
Fourth point : Yes it works. Best practices recommands to publish CRL to another location than the ADCS server
BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.
Would you like to participate?