Hi, we have branch in Europe with whole staff working remotely via VPN - FortiClient VPN client is being used with user certificate as second factor authentication (issued from Enterprise CA in the US). CDP/AIA extensions of certificate are published in AD (LDAP).
My question is what would happen if link between Europe and US goes down? Will employees in Europe be able to connect to VPN and work with at least servers being hosted in Europe? My logic is that during validation CRL/AIA are checked and since they are in AD configuration partition FortiClient VPN client will find available DC in Europe (it can be even RODC) and confirm user certificate is OK hence let him/her in without any need to contact CA in the US that is unreachable.
Am I right and if so does the same process of validation always happen in the background for anything requiring certificates? Thank you very much in advance.