Hi all, I've setup smart card logon on a 2008 R2 PKI server with an AD 2008 R2. I've revoke the certificate and published the crl on the PKI server. I can always be connected with my smart card, the certicate is always valid. What should I do to disable immediatly a smart card? Thanks in advance

have you considered using OCSP in addition to CRLs?

No such thing with the Microsoft solutions currently. You would need to move to a 3rd party OCSP Responder (such as Tumbleweed) which directly connects to the CA database, rather than how the MS OCSP responder uses CRLs for its revocation decisions. In addition, you would need to use a custom OCSP client that would implement either a NONCE in each request or a signed request (to prevent cached responses from being returned by the OCSP Responder. Brian

Brian, so what is the AD CS OCSP used for then? http://technet.microsoft.com/en-us/library/cc731027(WS.10).aspx

On Wed, 15 Jun 2011 05:14:12 +0000, S.Kwan wrote: Brian, so what is the AD CS OCSP used for then? http://technet.microsoft.com/en-us/library/cc731027(WS.10).aspx The 4 bullet points listed under What Does OCSP Support Do?. Notice that not one of them refer to real time status checking, but rather 3 of the 4 refer to reducing network traffic when performing certificate validation. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Congratulations! You are the one-millionth user to log into our system.

Hi Brian, If I can't use the OCSP, how can I distribute a new CRL automatically to all the DCs? Do we have a GPO to setup the period where the DC download a new CRL? Is it setup by default? I don't want to modify the current period of the CRL. Thanks

Hi Paul, In that same document (above the bullet points) it says: "Unlike CRLs, which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to requests from clients for information about the status of a single certificate" So I must be misunderstanding this, cause to me it sounds like a realtime status revocation checking ability of AD CS OCSP? Please could you clarify. Thank you

On Wed, 15 Jun 2011 14:01:57 +0000, S.Kwan wrote: "Unlike CRLs, which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to requests from clients for information about the status of a single certificate" So I must be misunderstanding this, cause to me it sounds like a realtime status revocation checking ability of AD CS OCSP? This is still just contrasting the fact that a CRL contains all revoked certificates whereas an OCSP response only returns the status of the actual certificate that is being verified, it says nothing at all about realtime status. Bottom line is that Microsoft's implementation of OCSP is most definitely not realtime. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Hackers have kernel knowledge.

100% understood, thanks Paul.