New certificate (CA) - Direct Access
Hey
We have demoted an old CA (2003) and create a new 2012 R2 CA. (completely new PKI infrastructure)
Is it possible to "accept" both CAs in Direct Access? (for a couple of months - until all the clients have requested a certificate from the new CA)
Thanks in advance
Mike
January 28th, 2015 6:30pm
Hi,
No it's not possible. At IPSEC tunnel level only one CA is referenced.
January 29th, 2015 1:23am
Hey
After adding the new CA to "First Authentication -> DirectAccess - Phase 1 Auth Set" - (to the DirectAccess GPOs) it seems to be working with certificates from both CAs.
Mike
-
Marked as answer by
Michael_DK_
Thursday, January 29, 2015 1:05 PM
-
Unmarked as answer by
Michael_DK_
Thursday, January 29, 2015 1:05 PM
January 29th, 2015 4:05pm
Hey
After adding the new CA to "First Authentication -> DirectAccess - Phase 1 Auth Set" - (to the DirectAccess GPOs) it seems to be working with certificates from both CAs.
Mike
-
Marked as answer by
Michael_DK_
Thursday, January 29, 2015 1:05 PM
-
Unmarked as answer by
Michael_DK_
Thursday, January 29, 2015 1:05 PM
January 29th, 2015 4:05pm
Hey
After adding the new CA to "First Authentication -> DirectAccess - Phase 1 Auth Set" - (to the DirectAccess GPOs) it seems to be working with certificates from both CAs.
Mike
-
Marked as answer by
Michael_DK_
Thursday, January 29, 2015 1:05 PM
-
Unmarked as answer by
Michael_DK_
Thursday, January 29, 2015 1:05 PM
January 29th, 2015 4:05pm
Hi,
Not tested this but maybe it works because you have a 2 tier PKI infrastructure and didn't revoked your old subCA providing certificates for your clients or your CRL is still not updated on your clients and can be valid for 7 days.
You should be carefull because if something fails in the Computer Certificate checks, your client will not be able to connect to your infrastructure.
February 2nd, 2015 9:37am
Hi,
Not sure. Strong CRL check is not enabled at DirectAccess client level. Have a look at NETSH ADVFIREWALL SHOW GLOBAL. StringCRLCheck parameter is disabled.
February 2nd, 2015 1:05pm
Cool to see that it works, but also beware of your configuration because it is generally not supported to manually modify the GPO settings (in any way). Your changes could be overwritten by the Remote Access wizard, so it may work today and may break tomorrow.
Also, if you ever need to contact Microsoft for support this could present a problem.
February 2nd, 2015 2:01pm
Hi,
Not sure. Strong CRL check is not enabled at DirectAccess client level. Have a look at NETSH ADVFIREWALL SHOW GLOBAL. StringCRLCheck parameter is dis
February 2nd, 2015 4:03pm
Logic :
https://technet.microsoft.com/en-us/library/ee649169(v=ws.10).aspx
"If you enable strong CRL checking and the DirectAccess server cannot reach the CRL distribution point, certificate-based IPsec authentication for all DirectAccess connections will fail.
If you are using Network Access Protection (NAP) with DirectAccess and you enable strong CRL checking, certificate-based IPsec authentication for all DirectAccess connections will fail. Health certificates do not contain CRL distribution points because their
lifetime is on the order of hours, instead of years for computer certificates"
February 2nd, 2015 4:51pm