CRL - SSL authentication issue (Full Version)

All Forums >> [ISA Server 2004 General ] >> Web Publishing


DaveG -> CRL - SSL authentication issue (10.Jan.2006 1:06:03 AM)


I finally managed to get the SSL certificate based authentication to work on the ISA. Now the only problem remaining is in regards to the CRL update and verification. Right now, even if I revoke a certificate, the user can still use it to access the published web site. Thus ISA ignores the fact that the certificate has been canceled. How can I fix that?

I have confirmed that ISA should use the CRL in the "Configuration/General" page, I have confirmed that the System Policy to give ISA access to the published CRL on the CA was enable and I can manually access the updated CRL on the CA from the ISA.
The update is not done automatically, even though I published right after revoking the certificate. If I do a manual import, I must specify the store where the CRL should go instead of letting the Import Wizard choose!?! Once the new CRL is updated, how can I force ISA to block the revoked certificate if presented for authentication?

Any help would be welcome. Thanks in advance.


LLigetfa -> RE: CRL - SSL authentication issue (10.Jan.2006 1:14:47 AM)

You need to give it time.  Revocation is not instant.  This has been discussed here before but I don't remember all the particulars.  One week comes to mind but don't hold me to it.

RuiFiske -> RE: CRL - SSL authentication issue (11.Jan.2006 5:58:45 PM)

Hi Dave,

A CRL is a list of revoked certificates issued by the publishing certificate authority. It usually has a validity period, which is specified in the CRL. The CA is not obliged to publish a CRL until the last one has expired, and the validator (in this case ISA) is not obliged to retrieve a new CRL until the current one has expired. This explains your delay, and LLigetfa's response of "just give it time". Revocation never happens instantly with certificates (like it does with Kerberos accounts, for example).

The default length of time varies from CA type to CA type, but you can see this in the CRL itself. You can set a shorter period (depends on CA), but you need to balance this with the performance needs of multiple users. After it has expired, then the new CRL will contain your list, and ISA will reject you.

Good luck!


Page: [1]