Options
revoking certificates
trackit
Member Posts: 224
I know how certificate revocation should work in theory but i cant seem to get it working in practice (in my lab environment).
I have a DC/CA and client computer (XP) that is joined the domain. I kept the default certificate revocation list settings as well as CRL distributin point settings. So i autoenrolled EFS certificate through group policy, clinet got the certificate and everything was fine. Then i decided to test the revocation. I revoked that certificate on CA, published it in base CRL aswell as in delta CRL. I checked, and this cert is showing up in CRL as expected.
The problem is with the client computer, it never seems to check the CRL and still states that certificate is valid and i can still use it to encrypt files. I know that it may take time before it takes effect (there is CRL cache on the client that there is no way to flush etc), but delta CRL shold expire after 24 hours. Now its 3 days since i revoked that cert and it sill works fine.
Im i missing here something?
EDIT: and i did check that client has access to CDP.
I have a DC/CA and client computer (XP) that is joined the domain. I kept the default certificate revocation list settings as well as CRL distributin point settings. So i autoenrolled EFS certificate through group policy, clinet got the certificate and everything was fine. Then i decided to test the revocation. I revoked that certificate on CA, published it in base CRL aswell as in delta CRL. I checked, and this cert is showing up in CRL as expected.
The problem is with the client computer, it never seems to check the CRL and still states that certificate is valid and i can still use it to encrypt files. I know that it may take time before it takes effect (there is CRL cache on the client that there is no way to flush etc), but delta CRL shold expire after 24 hours. Now its 3 days since i revoked that cert and it sill works fine.
Im i missing here something?
EDIT: and i did check that client has access to CDP.
Comments
-
Optionstrackit
Member Posts: 224
actually i may take my words back
it seems that CA enrolled automatically new certificate and removed old (as specified in gpo) so i confused new valid cert with old one. I should write down the serial numbers next time lol