Share via

PKI and revocation question

Hobbit 32 41 Reputation points
2020-11-02T06:23:03.033+00:00

Good morning everyone,

I am setting up a PKI and I want to get the quickest revocation publication. For example, if one of our laptops get stolen, I want the firewall to get the revocation information as fast as possible to block any vpn attempt.

1 : I was initially going with CRL but the update delay can be quite long. Is configuring overlapping a viable way to force newer CRL download ?

2 : I thought OCSP could directly query the revocation database on the CA, but it seems it only queries CRL. Is it correct or am I missing something ?

Basically, I would like to know how you do to get the revocation information published as fast as possible.

Thank you for your time !

Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments

Answer accepted by question author

Vadims Podāns 9,266 Reputation points MVP
2020-11-02T06:42:42.767+00:00

Is configuring overlapping a viable way to force newer CRL download ?

no. Overlapping extends the CRL (increase timespan between NextPublish and NextUpdate CRL extensions).

but it seems it only queries CRL. Is it correct or am I missing something ?

exactly! And there is a lot of caching involved to reduce network utilization/bandwidth.

You use wrong tools to solve the task. Certificate revocation never was supposed to be an immediate action that is propagated to all clients. Instead, if laptop is stolen or you detect that the device is compromised, you should deactivate machine account in Active Directory (or other account database your firewall use). This is the only right answer to your question.

Was this answer helpful?

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hobbit 32 41 Reputation points
    2020-11-04T16:48:37.61+00:00

    Thank you for your answers, it is really helpful (as expected :)).

    I have three last questions (let me know if I need to recreate a topic) :

    • I set up the OCSP. OCSP is in error in pkiview.msc. To get it "green" in pkiview.msc, I had to delete and recreate the CA Exchange certificate:
    • Is it normal ?
    • Should I watch any side effect on the PKI ?
    • What is the purpose of this CA Exchange certificate ? I understand it is to manage the archival of the certificate private key from the workstation to the KRA. I don't understand why it is involved with the OCSP.

    Thanks again and have a good day !

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.