I am testing a computer authentication certificate which was revoked 8 days ago, my policy is set to update CRL every 7 days and Delta every 1 day. If I run the command: certutil -verify c:\temp\machine_cert.cer So the CRL appears to be working correctly. However, When I look at my local computer under MMC -> Certificates (Local Computer), Personal Certificates. Certificate status: OK ??? But the certificate is revoked... and I thought local CRL cache should have expired by now.. Shouldn't the local machine have figured out it is revoked by now, especially since I am using Delta CRL ? I was expecting my machine to apply for a new machine certificate by auto-enroll already...

On Tue, 2 Oct 2012 01:05:51 +0000, Digian wrote: Certificate is REVOKED* *Leaf certificate is REVOKED (Reason=4)* *CertUtil: -verify command completed successfully.* So the CRL appears to be working correctly. However, When I look at my local computer under MMC -> Certificates (Local Computer), Personal Certificates. Certificate status: The certificate is OK Yet the certificate?Serial number is certainly Revoked and in my CRL. The UI that displays a certificate does not do CRL checking so you'll never be able to tell whether or not a certificate has been revoked by simply looking at the certificate. Shouldn't the local machine have figured out it is revoked by now ? Especially since I am using Delta CRL ? I was expecting it to apply for a new machine certificate by auto-enroll ... The local machine is the subject of the certificate, not the relying party. Only the relying party does CRL checking. Autoenrollment is only triggered when the certificate in question enters the renewal period, not when it has been revoked. A revocation policy needs to include the process by which a new certificate is issued after it has been revoked. From a security perspective it doesn't make sense to automatically enroll for a new certificate when one has been revoked. What if the computer has been physically compromised? Do you really want it to be able to enroll for a new certificate automatically? Paul Adare MVP - Forefront Identity Manager http://www.identit.ca You have junk mail.

On Tue, 2 Oct 2012 01:05:51 +0000, Digian wrote: Certificate is REVOKED* *Leaf certificate is REVOKED (Reason=4)* *CertUtil: -verify command completed successfully.* So the CRL appears to be working correctly. However, When I look at my local computer under MMC -> Certificates (Local Computer), Personal Certificates. Certificate status: The certificate is OK Yet the certificate?Serial number is certainly Revoked and in my CRL. The UI that displays a certificate does not do CRL checking so you'll never be able to tell whether or not a certificate has been revoked by simply looking at the certificate. Shouldn't the local machine have figured out it is revoked by now ? Especially since I am using Delta CRL ? I was expecting it to apply for a new machine certificate by auto-enroll ... The local machine is the subject of the certificate, not the relying party. Only the relying party does CRL checking. Autoenrollment is only triggered when the certificate in question enters the renewal period, not when it has been revoked. A revocation policy needs to include the process by which a new certificate is issued after it has been revoked. From a security perspective it doesn't make sense to automatically enroll for a new certificate when one has been revoked. What if the computer has been physically compromised? Do you really want it to be able to enroll for a new certificate automatically? Paul Adare MVP - Forefront Identity Manager http://www.identit.ca You have junk mail.

Thanks Paul, I agree auto enrolling clients is probably not a wise idea now that I think of it.