autoenrollment behavior for cert revocation on 2008

Discussion in 'Server Security' started by Ondrej Sevecek, May 27, 2009.

  1. hello,

    I have observed one weird change between autoenrollment in XP and 2008
    regarding revoked certificates.

    I have the policy to Update pending/Remove Revoked etc. certificates for
    both XP and 2008 machines.

    The XP behavior on a certificate based on a template is:
    onXP: manually enroll certA (templateA)
    onCA: revoke certA
    onXP: delete URLCACHE
    onXP: pulse autoenrollment
    onXP: certA is automatically archived
    onXP: automaticalal enrollment for new certB (templateA, the same as the
    archived cert) is performed

    While on 2008 the pulse has virtually no effect on the certificate in local
    store. It seems like it just ignores revocation information published
    because it not even downloads the CRLs (even when URLCACHED deleted, it
    remains empty after the pulsing).

    is that an expected behavior on 2008? Shouldn't it work the same way as in
    XP?

    thank you very much.

    ondrej.
     
    Ondrej Sevecek, May 27, 2009
    #1
    1. Advertisements

  2. Here is what worked for me ...

    on2008: enroll certA (templA)
    onCA: revoke certA, issue CRL
    on2008: delete CRL cache (certutil -urlcache CRL delete)
    on2008: clear in-memory cache (certutil -setreg chain\ChainCacheResyncFiletime @now)
    on2008: pulse autoenrollment (certutil -user -pulse), new certificate is enrolled

    HTH

    Martin
     
    Martin Rublik, May 28, 2009
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.