Key Recovery Agent with no access to Root CA CRL
- From: Roxter <Roxter@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 23 Oct 2008 18:04:15 -0700
Hi,
We have a Windows 2003 Enterprise Issuing Certification Authority for
issuing corporate certificates, we are using an outside third-party Root CA
which does not include their CRL Distribution Point in their Certificates.
This has worked fine up to now.
However, we recently wanted to enable the Key Recovery Agent feature, but we
repeatedly got a message on client machines telling us that "some
certificate" could not be validated when the user requested a certificate
from a template where key archiving was enabled. Looking a little bit deeper,
on a hunch we checked with certutil the validity of the KRA certificate on
the client machines and noticed that although the certificate itself is
valid, certutil complained because it could not validate the whole chain for
the Issuing CA certificate (because of the missing root ca CRLs), we found
that if we manually installed the Root CA CRLs on the user's machine, in the
local machine store, the message would not show up, and key archiving worked
well. We didn't know that client machines had to use the KRA agent (we
assumed it stayed only at the CA).
It would be cumbersome for us to have to manually add the Root CA CRLs (even
if using a GPO), because they are published fairly often to a location
outside our company.
I would like to know if there is a way to bypass the Root CRL verification
for KRA on client machines, as it seems to be failing only for key archiving.
Is there a GPO I could update for this? Are there any other workarounds?
Thanks.
.
- Prev by Date: No logons if ONE DC is down?
- Next by Date: Adding computers to the domain
- Previous by thread: No logons if ONE DC is down?
- Next by thread: Adding computers to the domain
- Index(es):
Relevant Pages
|
