Push out CRL with group policy
Hi, Thanks for your posting. Certificate Revocation List (CRL) can update form URLs defined in certificate CRL Distribution Point (CDP). These URLs can be either HTTP, FTP, LDAP or FILE addresses, but these are all defined and set by Certificate Authority. CRL has a validity period, in most of case this is a period of time form 12 hours to some months. You can check the Next update time form your .crl file. Double click your .crl file-->General-->Next update Why we need CRL? Revocation of a certificate invalidates a certificate as a trusted security credential prior to the natural expiration of its validity period. There are a number of reasons why a certificate, as a security credential, could become untrustworthy prior to its expiration. Examples include: Compromise, or suspected compromise, of the certificate subject's private key. Compromise, or suspected compromise, of a certification authority's private key. Discovery that a certificate was obtained fraudulently. Change in the status of the certificate subject as a trusted entity. Change in the name of the certificate subject. These reasons are all apply to a scenario you may dont trust a certificate, but I think your workstations will always trust that purchased certificate until that certificate expires. And if one day you dont need that certificate or you dont trust that certificate, just remove or update it form your deployed application. So for your current scenario, its no need and you cant update that CRL for your offline (no internet connection) workstations. For more information please refer to following MS articles: Certificate revocation http://technet.microsoft.com/en-us/library/cc739845(v=ws.10).aspx Specify certificate revocation list distribution points in issued certificates http://technet.microsoft.com/en-us/library/cc773036(v=ws.10).aspx Revoking certificates and publishing CRLs http://technet.microsoft.com/en-us/library/cc782162(v=WS.10).aspxLawrence TechNet Community Support
February 29th, 2012 4:59am

Hello, Thank you for the detailed explanation and the URL's for further information. I believe I understand the concept now and your explantaion is greatly appreciated and has answered my inital question. Thank you,Mark
Free Windows Admin Tool Kit Click here and download it now
March 10th, 2012 8:19am

I have been able to deploy a cert via group policy < http://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx >, I need to know how to deploy the cert revolcation list for the cert. The cert is from VeriSign that also has two .crl files that need to be installed on all users computers also. If someone could point me in the right direction that would be great. thank you, MarkMark
March 10th, 2012 11:29am

can use certmgr.exe http://msdn.microsoft.com/en-us/library/e78byta0%28v=vs.80%29.aspx : /CRL Adds or deletes CRLs. Displays CRLs when used without the /add, /delete, or /put options.
Free Windows Admin Tool Kit Click here and download it now
March 10th, 2012 11:45am

Thanks Lawrence, I was able to install the certfication that was given to us by a vendor, via a group policy http://technet.microsoft.com/en-us/library/cc770315(v=ws.10).aspx They also had two crl files that need to be installed I am guessing now, only if we install manually and the workstation has no internet access. Lets see if I understand this or not. Once the certificate is installed, the workstation will install the CRL if needed from the URL provided in the Cert? thanks for your input on this subject. Mark.Mark
March 10th, 2012 12:00pm

Hi, Thanks for your posting. Certificate Revocation List (CRL) can update form URLs defined in certificate CRL Distribution Point (CDP). These URLs can be either HTTP, FTP, LDAP or FILE addresses, but these are all defined and set by Certificate Authority. CRL has a validity period, in most of case this is a period of time form 12 hours to some months. You can check the Next update time form your .crl file. Double click your .crl file-->General-->Next update Why we need CRL? Revocation of a certificate invalidates a certificate as a trusted security credential prior to the natural expiration of its validity period. There are a number of reasons why a certificate, as a security credential, could become untrustworthy prior to its expiration. Examples include: Compromise, or suspected compromise, of the certificate subject's private key. Compromise, or suspected compromise, of a certification authority's private key. Discovery that a certificate was obtained fraudulently. Change in the status of the certificate subject as a trusted entity. Change in the name of the certificate subject. These reasons are all apply to a scenario you may dont trust a certificate, but I think your workstations will always trust that purchased certificate until that certificate expires. And if one day you dont need that certificate or you dont trust that certificate, just remove or update it form your deployed application. So for your current scenario, its no need and you cant update that CRL for your offline (no internet connection) workstations. For more information please refer to following MS articles: Certificate revocation http://technet.microsoft.com/en-us/library/cc739845(v=ws.10).aspx Specify certificate revocation list distribution points in issued certificates http://technet.microsoft.com/en-us/library/cc773036(v=ws.10).aspx Revoking certificates and publishing CRLs http://technet.microsoft.com/en-us/library/cc782162(v=WS.10).aspxLawrence TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
March 10th, 2012 9:00pm

Hi, Thanks for your posting. I think maybe you misunderstand certificates and certificates revocation list (CRL). That certificate you get from VeriSign, of course its issued by VeriSign. That certificate is trusted automatically by all of your workstation, so its no need to deploy that certificate to your clients. Since MS system trust certificates issued by some well-known Certificate Authority (include VeriSign), all root certificates of these well-known CA are build-in in MS system. You can check it: run mmc-->File-->Add/Remove Snap-in-->Certificate-->Add-->Computer Account-->Local computer-->Trusted Root Certification Authorities-->Certificates Also its no need to push CRL for your clients. Double click your VeriSign certificate-->Details-->CRL Distribution Points-->URL You can find a website URL, workstation will contact that URL to renew CRL if needed. For more information please refer to following MS articles: CA Maintenance http://technet.microsoft.com/en-us/library/cc782041(v=WS.10).aspx Certificate revocation http://technet.microsoft.com/en-us/library/cc739845(v=ws.10).aspx Revoking certificates and publishing CRLs http://technet.microsoft.com/en-us/library/cc782162(v=WS.10).aspx Hope this helps, any confusion or further questions please let us know.Lawrence TechNet Community Support
March 11th, 2012 4:18am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics