separate domain issuing certs trust each other but where is the CRL?
Hi all, I have an offline standalone root (entroot) and 2 enterprise issuing servers, DEVIss1 and ProdIss1. they are on segregated domains/networks, devdom and proddom. Entroot's cert is published in the domain of both devdom and proddom so it shows up in the trusted root authorities of members of each. If I create an SSL cert in the proddom domain and publish it on a web server in prod domain, it is a trusted when I look on my devdom members. My question is around the CRL. Based on how I published everything, members of each domain can see the root crl and crt as well as the local issuing crl and crt. But if I publish a cert from ProdIss1 to Prodweb1 and connect to it from devclient1, dev client will only be able to check the root crl and will not be able to see the prodiss1 crl? How is it still able to say it is valid? I just put these in yesterday. It is possible that next week when my validity periods time out, all of this will break but how do we know what the validity period is if we cannot see the CRL? Can somebody make sense of this? Thanks ej
July 10th, 2009 5:21pm

Hi, If devdom members can access the web server in prod domain, you may add a HTTP CRL distribution point location pointing to the web server on the prodIss1 in order that the devdom members can retrieve the latest CRL from the web server. For more information, please refer to the Configure CorporateRootCA Distribution Points for the CRL section in the following article: http://technet.microsoft.com/en-us/library/cc779714(WS.10).aspx Thanks.
Free Windows Admin Tool Kit Click here and download it now
July 16th, 2009 1:44pm

Thanks Joson, but that isn't quite my question. I do understand i can publish my prodiss1 CRL to a devdom accessible location. What I am confused about is how the cert chain is able to validate at all if my devdom member server cannot see the CRL for the Prodiss1 CA? My certification path shows as green even though neither the ldap or http published CRL of prodiss1 is available for on the devdom clients. Devdom clients have the root cert and CRL in the domain but I assumed the cert chain checking algorithms would have to check each CA in the chain. reading the link you sent and http://technet.microsoft.com/en-us/library/cc737481(WS.10).aspx seems to confirm that I should need to publish the CRL for the cert to be valid. If I pull up the https web page, check on cert and try to go to the published CRL locations, I get 404s (as expected, the crl isn't there.) I am not sure of a way to easily check the ldap location but the servers are in different domains with no trust so I would expect that to be unavailable. What am I missing here? Thanks ej
July 17th, 2009 1:45pm

Hi, Based on my understanding, the Certificate Path just checks if the certificate is issued by a trusted CA and if the certificate is expired. It will not check if the certificate is revoked. For more information, please refer to the following article: Certification Authority Trust Model http://technet.microsoft.com/en-us/library/cc962065.aspx To check if a certificate is valid, please export the certificate from the personal store and run the command certutil verify urlfetch <CertificateFile.cer>. Additional Information: Certificate Revocation and Status Checking http://technet.microsoft.com/en-us/library/bb457027.aspx#EJAA
Free Windows Admin Tool Kit Click here and download it now
July 21st, 2009 1:51pm

No wonder you've got all those medals .... lol, Joson.Creativity cannot be taught, but it can be learned.
August 24th, 2009 12:33am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics