• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

CRL - SSL authentication issue

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> CRL - SSL authentication issue Page: [1]
Message << Older Topic   Newer Topic >>
CRL - SSL authentication issue - 10.Jan.2006 1:06:03 AM   


Posts: 19
Joined: 23.Nov.2005
From: NH/USA
Status: offline

I finally managed to get the SSL certificate based authentication to work on the ISA. Now the only problem remaining is in regards to the CRL update and verification. Right now, even if I revoke a certificate, the user can still use it to access the published web site. Thus ISA ignores the fact that the certificate has been canceled. How can I fix that?

I have confirmed that ISA should use the CRL in the "Configuration/General" page, I have confirmed that the System Policy to give ISA access to the published CRL on the CA was enable and I can manually access the updated CRL on the CA from the ISA.
The update is not done automatically, even though I published right after revoking the certificate. If I do a manual import, I must specify the store where the CRL should go instead of letting the Import Wizard choose!?! Once the new CRL is updated, how can I force ISA to block the revoked certificate if presented for authentication?

Any help would be welcome. Thanks in advance.

Post #: 1
RE: CRL - SSL authentication issue - 10.Jan.2006 1:14:47 AM   


Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
You need to give it time.  Revocation is not instant.  This has been discussed here before but I don't remember all the particulars.  One week comes to mind but don't hold me to it.


The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to DaveG)
Post #: 2
RE: CRL - SSL authentication issue - 11.Jan.2006 5:58:45 PM   


Posts: 96
Joined: 8.Dec.2004
From: London
Status: offline
Hi Dave,

A CRL is a list of revoked certificates issued by the publishing certificate authority. It usually has a validity period, which is specified in the CRL. The CA is not obliged to publish a CRL until the last one has expired, and the validator (in this case ISA) is not obliged to retrieve a new CRL until the current one has expired. This explains your delay, and LLigetfa's response of "just give it time". Revocation never happens instantly with certificates (like it does with Kerberos accounts, for example).

The default length of time varies from CA type to CA type, but you can see this in the CRL itself. You can set a shorter period (depends on CA), but you need to balance this with the performance needs of multiple users. After it has expired, then the new CRL will contain your list, and ISA will reject you.

Good luck!


(in reply to LLigetfa)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> CRL - SSL authentication issue Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts