HelloI'm trying to troubleshoot a revocation checking issue involving a third party CRL.I don't understand enough about how the imported third party CRL is supposed to work so I'm not able to troubleshoot this efficiently.There's one CA (Windows 2003 single tier enterprise CA) where I've imported the third party CRLsto the intermediate certificate authorities' local computer (physical store) which show up under the intermediate certificate authorities' certificate revocation lists when viewed using certificate services mmc. I of course imported the third party's Root CA cert (Trusted Root)and its issuing CA cert (NTAuth) as well toour CA.- After having imported the third party CRLs, are they published to the AD domain's CDP so when the clients (smartcard logon) that need to check the third partyCRL which I've imported, they can OR do I need to do something manually to publish them tothe CDP?I noticed that when checking the domain's CRL, its' a one file named CAname.crl and its revocation list tab doesn't seem to contain the third party CRLs I've imported as the most recent dates that show are from July but I've imported CRLs up until last week.- When I go to the client and login as the client user to check its personal certificate (for the smartcard logon)issued, its details tab's CRL distribution point points to the external third party's website and not our domain's distribution point. Is this how it's supposed to be? Then what's the point of having to import their CRLs to our CA if it's going to go out to the external site tocheck the CRL and not our domain's CDP?

You are combining two separate processes and confusing the two: chain building vs revocation checkingFor chain building, the chain will be built from all available certificate stores.- Adding the CAs to the trusted root store and intermediate stores in AD will allow all 2000+ clients to build trusted chains to the forest root CA.- Adding the issuing CA of the foreign chain will allow smart card logon with certificates from that CA (or Web authentication with certificates)But, you cannot overrider the revocation publication point for the CRL. It is still going to read the certificates, and use the CDP extension in the certificate. Remember that a certificate is a signed object and the CRL location is going to be read from the CDP.That being said, with a Windows Vista or Windows 7 client, it is possible to have the client go to a OCSP responder that you designate via group policy. You can add the CA certificate (root or intermediate) to the relevant GPO (root CAs or intermediate CAs), and designate a custom OCSP responder to use.Brian

You are combining two separate processes and confusing the two: chain building vs revocation checkingFor chain building, the chain will be built from all available certificate stores.- Adding the CAs to the trusted root store and intermediate stores in AD will allow all 2000+ clients to build trusted chains to the forest root CA.- Adding the issuing CA of the foreign chain will allow smart card logon with certificates from that CA (or Web authentication with certificates)But, you cannot overrider the revocation publication point for the CRL. It is still going to read the certificates, and use the CDP extension in the certificate. Remember that a certificate is a signed object and the CRL location is going to be read from the CDP.That being said, with a Windows Vista or Windows 7 client, it is possible to have the client go to a OCSP responder that you designate via group policy. You can add the CA certificate (root or intermediate) to the relevant GPO (root CAs or intermediate CAs), and designate a custom OCSP responder to use.Brian Thanks. It's more clear now.For the third party cert that's being used for the smartcard logon, if it's going to check the cdp extension of the smartcard cert which points to an external CRL location,what's the purpose of importing that external CRL to our CA? Is it so that it trusts it?

Hi,CRL is used when operating system/application checks the revocation status of the certificate. If a local CRL is available, it will be checked despite the absence of a CDP extension. To trust a certificate, you only need to import the CA certificate(s) into the local store.For more information, I suggest that you refer to the following article:Certificate Revocation and Status Checkinghttp://technet.microsoft.com/en-us/library/bb457027.aspx#EJAAThis posting is provided "AS IS" with no warranties, and confers no rights.