Hello all,
I have read a lot of sites and posts regarding Cert revocation but still have not found a working setup yet. We are publishing a website using a dedicated listener that requires client certificates from either an internal PKI (Based on Windows 2008r2) and an External PKI (Based on the opensource XCA tool). The internal CA's have the CDP/AIA information published and updated and are available via HTTP and LDAP. The TMG 2010 Server is member of the domain and can retrieve all certificate revocation information successfully using CERTUTIL -f -urlfetch -verify my-user-cert.cer.
The TMG server can also download the CRL using the CERTUTIL -URL "http://crl.domain.com/CAInfo/filename.crl".
I have installed the root/issuing/personal certificates on my iPad in the profiles store and can successfully open the website using Safari after importing those certificates, which I could not without those certs. So Certificate issuing-check is working fine, however when I revoke the certificate on the CA and replublish the CRL then the iPad can still access the website. When I sniff the traffic on the TMG server I also cannot easily see any trace of the server trying to even access the CRL either via an LDAP query or HTTP request.
When I run the CERTUTIL revocation check internally or via the internet works fine and shows the certificate is revoked. I also cleared the CRL cache locally on the TMG servers and downloaded the lates one via the CERTUTIL -f -urlfetch ... command.
What am I missing? On the TMG Server the System Policy "CRL Download" is enabled.
I hope you can help me out!
Many thanks,
Eric