CA's

Helo Guys, I have come across this question a few times in different exercise's but I am still not able to determine the answer.

Can someone please assist.

Thanks
Colin

You are the network administrator for ampg.com. The network contains a
Windows Server 2003 computer that runs Certificate Services and serves as a
certification authority (CA). All company computers are configured to download a
Certificate Revocation List (CRL) from the CA.
A user named Robb Wong retires from the company. You need to ensure that Robb's certificate cannot be used on the CA. You also need to immediately update the CRL.
What should you do on the server?

Find more posts tagged with

Comments

royal

If you need the CRL updates asap, you can manually publish a Delta CRL by right clicking on the Revoked Certificates folder in the Certification Authority MMC . Normally, Delta CRLs are updated once a day while the Full CRL is updated once a week. Delta CRLs were added in Server 2003 to save on network bandwidth.

So in essence, this is what you would do.

Find the user's certificate in the Issued Certificates Folder. Right-click on it and choose Revoke Certificate:

Now, you'll have to wait 1 day for the Delta CRL to publish, or the full CRL if it's been a week since the last full CRL update. As explained earlier, you can manually publish the CRL by doing the following:

hhisgett

Dang, learned something new myself. Good explanation!

Irish Man

Thanks IC Royal, great explanation

royal

No problem. Glad I could help.

BeaverC32

Notice this is an older post, but I ran across this and had a quick question:

Do you necessarily have to publish a delta CRL, or is it okay to publish a new CRL instead?? My best guess is that it's best practice to publish the delta since it consumes less bandwidth, but either way should work.

Silver Bullet

BeaverC32 wrote:

Notice this is an older post, but I ran across this and had a quick question:

Do you necessarily have to publish a delta CRL, or is it okay to publish a new CRL instead?? My best guess is that it's best practice to publish the delta since it consumes less bandwidth, but either way should work.

Yes, either way the revocation list will be updated with the latest revoked certificates.