Options
CA's
Irish Man
Member Posts: 72 ■■□□□□□□□□
Helo Guys, I have come across this question a few times in different exercise's but I am still not able to determine the answer.
Can someone please assist.
Thanks
Colin
You are the network administrator for ampg.com. The network contains a
Windows Server 2003 computer that runs Certificate Services and serves as a
certification authority (CA). All company computers are configured to download a
Certificate Revocation List (CRL) from the CA.
A user named Robb Wong retires from the company. You need to ensure that Robb's certificate cannot be used on the CA. You also need to immediately update the CRL.
What should you do on the server?
Can someone please assist.
Thanks
Colin
You are the network administrator for ampg.com. The network contains a
Windows Server 2003 computer that runs Certificate Services and serves as a
certification authority (CA). All company computers are configured to download a
Certificate Revocation List (CRL) from the CA.
A user named Robb Wong retires from the company. You need to ensure that Robb's certificate cannot be used on the CA. You also need to immediately update the CRL.
What should you do on the server?
Comments
-
Options
royal
Member Posts: 3,352 ■■■■□□□□□□
If you need the CRL updates asap, you can manually publish a Delta CRL by right clicking on the Revoked Certificates folder in the Certification Authority MMC . Normally, Delta CRLs are updated once a day while the Full CRL is updated once a week. Delta CRLs were added in Server 2003 to save on network bandwidth.
So in essence, this is what you would do.
Find the user's certificate in the Issued Certificates Folder. Right-click on it and choose Revoke Certificate:
Now, you'll have to wait 1 day for the Delta CRL to publish, or the full CRL if it's been a week since the last full CRL update. As explained earlier, you can manually publish the CRL by doing the following:
“For success, attitude is equally as important as ability.” - Harry F. Banks -
Optionsroyal
Member Posts: 3,352 ■■■■□□□□□□
No problem. Glad I could help.
“For success, attitude is equally as important as ability.” - Harry F. Banks -
Options
BeaverC32
Member Posts: 670 ■■■□□□□□□□
Notice this is an older post, but I ran across this and had a quick question:
Do you necessarily have to publish a delta CRL, or is it okay to publish a new CRL instead?? My best guess is that it's best practice to publish the delta since it consumes less bandwidth, but either way should work.MCSE 2003, MCSA 2003, LPIC-1, MCP, MCTS: Vista Config, MCTS: SQL Server 2005, CCNA, A+, Network+, Server+, Security+, Linux+, BSCS (Information Systems) -
Options
Silver Bullet
Member Posts: 676 ■■■□□□□□□□
BeaverC32 wrote:Notice this is an older post, but I ran across this and had a quick question:
Do you necessarily have to publish a delta CRL, or is it okay to publish a new CRL instead?? My best guess is that it's best practice to publish the delta since it consumes less bandwidth, but either way should work.
Yes, either way the revocation list will be updated with the latest revoked certificates.
