Ondrej Sevecek wrote:
> hello,
>
> I have observed one weird change between autoenrollment in XP and 2008
> regarding revoked certificates.
>
> I have the policy to Update pending/Remove Revoked etc. certificates for
> both XP and 2008 machines.
>
> The XP behavior on a certificate based on a template is:
> onXP: manually enroll certA (templateA)
> onCA: revoke certA
> onXP: delete URLCACHE
> onXP: pulse autoenrollment
> onXP: certA is automatically archived
> onXP: automaticalal enrollment for new certB (templateA, the same as the
> archived cert) is performed
>
> While on 2008 the pulse has virtually no effect on the certificate in
> local store. It seems like it just ignores revocation information
> published because it not even downloads the CRLs (even when URLCACHED
> deleted, it remains empty after the pulsing).
>
> is that an expected behavior on 2008? Shouldn't it work the same way as
> in XP?
>
> thank you very much.
>
> ondrej.
Here is what worked for me ...
on2008: enroll certA (templA)
onCA: revoke certA, issue CRL
on2008: delete CRL cache (certutil -urlcache CRL delete)
on2008: clear in-memory cache (certutil -setreg chain\ChainCacheResyncFiletime @now)
on2008: pulse autoenrollment (certutil -user -pulse), new certificate is enrolled
HTH
Martin
--
Replace nospam with google's mail for e-mail communication
|
Similar Threads
Linear Mode
