CA's

Irish ManIrish Man Member Posts: 72 ■■□□□□□□□□
in Planning Network Infra 70-293
Helo Guys, I have come across this question a few times in different exercise's but I am still not able to determine the answer.

Can someone please assist.

Thanks
Colin

You are the network administrator for ampg.com. The network contains a
Windows Server 2003 computer that runs Certificate Services and serves as a
certification authority (CA). All company computers are configured to download a
Certificate Revocation List (CRL) from the CA.
A user named Robb Wong retires from the company. You need to ensure that Robb's certificate cannot be used on the CA. You also need to immediately update the CRL.
What should you do on the server?
· Share on FacebookShare on Twitter

Comments

  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    If you need the CRL updates asap, you can manually publish a Delta CRL by right clicking on the Revoked Certificates folder in the Certification Authority MMC . Normally, Delta CRLs are updated once a day while the Full CRL is updated once a week. Delta CRLs were added in Server 2003 to save on network bandwidth.

    So in essence, this is what you would do.

    Find the user's certificate in the Issued Certificates Folder. Right-click on it and choose Revoke Certificate:

    revokext2.jpg


    Now, you'll have to wait 1 day for the Delta CRL to publish, or the full CRL if it's been a week since the last full CRL update. As explained earlier, you can manually publish the CRL by doing the following:

    publishra7.jpg

    deltaly1.jpg
    “For success, attitude is equally as important as ability.” - Harry F. Banks
    · Share on FacebookShare on Twitter
  • hhisgetthhisgett Member Posts: 181
    Dang, learned something new myself. Good explanation!
    · Share on FacebookShare on Twitter
  • Irish ManIrish Man Member Posts: 72 ■■□□□□□□□□
    Thanks IC Royal, great explanation
    · Share on FacebookShare on Twitter
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    No problem. Glad I could help. :)
    “For success, attitude is equally as important as ability.” - Harry F. Banks
    · Share on FacebookShare on Twitter
  • BeaverC32BeaverC32 Member Posts: 670 ■■■□□□□□□□
    Notice this is an older post, but I ran across this and had a quick question:

    Do you necessarily have to publish a delta CRL, or is it okay to publish a new CRL instead?? My best guess is that it's best practice to publish the delta since it consumes less bandwidth, but either way should work.
    MCSE 2003, MCSA 2003, LPIC-1, MCP, MCTS: Vista Config, MCTS: SQL Server 2005, CCNA, A+, Network+, Server+, Security+, Linux+, BSCS (Information Systems)
    · Share on FacebookShare on Twitter
  • Silver BulletSilver Bullet Member Posts: 676 ■■■□□□□□□□
    BeaverC32 wrote:
    Notice this is an older post, but I ran across this and had a quick question:

    Do you necessarily have to publish a delta CRL, or is it okay to publish a new CRL instead?? My best guess is that it's best practice to publish the delta since it consumes less bandwidth, but either way should work.

    Yes, either way the revocation list will be updated with the latest revoked certificates.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.