Re: IAS CRL Configuration
- From: "Greg Lindsay [MSFT]" <greg.lindsay@xxxxxxxxxxxxx>
- Date: Tue, 25 Jul 2006 14:34:52 -0700
You're welcome Paul,
Yes, I was referring to the server that is running CA in my last response.
I think you want to add a Certificates snap in within the management console
on your IAS server, and view the detailed properties of the certificate in
question. I know that Event Viewer is a good place to check when
troubleshooting certificate issues, but I'm not sure if it would contain the
detail you need.
You're correct that the IAS server does not use a new CRL until the old one
has expired. If you configure a long expiration time on the CA, then revoke
the certificate, the IAS server will continue checking against what it
believes to be a valid, unexpired CRL. This could result in clients with
revoked certificates connecting to the network.
The following article:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
has some procedures for viewing and verifying certificates that may help.
Unless someone else answers with a better solution, I will continue
investigating this and let you know what I come up with. Best of luck!
--
Greg Lindsay [MSFT]
greg.lindsay@xxxxxxxxxxxxx
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
<wauger@xxxxxxxxx> wrote in message
news:1153512007.429650.280690@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
All,
Essentially I am looking for how to review, control, initiate, verify
that the CRL is being used/retreived/loaded by IAS. How can I verify
this within IAS? The only help information provided within the snap-in
says that the CRL will be retreived when the previous one expires. How
do I check that? Or even verify that IAS already has a previous CRL?
Thanks,
-Paul
wauger@xxxxxxxxx wrote:
Greg,
Thank you very much. I assume that when you state "CA Snap-in" you are
referring to the snap-in on the Enterprise Subordinate CA that is
issueing the certs and the CRL's = correct?
-Thanks,
Paul
Greg Lindsay [MSFT] wrote:
Hi Paul,
Open the Certification Authority snap-in, and double-click (expand) the
certificate for which you want to configure expiration paramaters.
Right-click "Revoked Certificates" and select Properties from the
dropdown.
You should be able to configure CRLs here.
I hope this helps!
--
Greg Lindsay [MSFT]
greg.lindsay@xxxxxxxxxxxxx
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
<wauger@xxxxxxxxx> wrote in message
news:1153241450.019913.169890@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi All,
I am having a lot of trouble finding the mechanism to configure the
retrieval and expiration value for the certificate revokation list
(CRL) within Microsoft IAS 2003 server.
Is this done automatically using the value within the server cert
issued to IAS? Can I manually configure the CRL publishing location,
retrieval time/freqency and expiration?
Thanks for the help...
-Paul
.
- References:
- IAS CRL Configuration
- From: wauger
- Re: IAS CRL Configuration
- From: Greg Lindsay [MSFT]
- Re: IAS CRL Configuration
- From: wauger
- Re: IAS CRL Configuration
- From: wauger
- IAS CRL Configuration
- Prev by Date: Re: IAS server Max
- Next by Date: Re: 802.1x Authentication Question
- Previous by thread: Re: IAS CRL Configuration
- Next by thread: Re: Cisco + IAS + AD integration
- Index(es):
Relevant Pages
|
