Determine If You Need to Enable Certificate Revocation Checking (CRL) On Clients (Native Mode)
The certificate revocation list (CRL) is an optional component of a public key infrastructure (PKI) deployment. It is a file that is created and signed by a certification authority and contains a list of certificates that it has issued but revoked. Certificates can be revoked by a certification authority administrator, for example, if an issued certificate is known or suspected to be compromised.
When a CRL is used with a PKI deployment, applications can check the revocation status of the certificates they are using and of the certificates that chain to the trusted root certification. This check is made by ensuring all certificates in the chain are not listed on the CRL. If any of these certificates are listed on the CRL, the certificate used by the application is considered invalid, even though it comes from a trusted source and is within its validity period.
If certificate revocation checking is enabled on a Configuration Manager 2007 native mode site, native mode client computers will check the CRL whenever they communicate with one of the following site systems configured for native mode:
Management points
Distribution points that are not using a site system share, or configured as branch distribution points
Software update points
State migration points
If certificate revocation checking is enabled on a Configuration Manager 2007 native mode site but clients fail to locate the CRL, they behave as if all certificates in the certification chain are revoked because their absence from the list cannot be verified. In this scenario, all connections that require certificates and use a CRL will fail, and the Configuration Manager 2007 client will send an error message to its fallback status point.
Checking the CRL each time a certificate is used offers more security against using a certificate that has been revoked, but it introduces a connection delay and additional processing on the client. You are more likely to require this additional security check for Internet-based client management than for native mode sites that are contained within the intranet.
You should consult your PKI administrators before deciding whether to enable certificate revocation checking on clients, and then consider enabling this option in Configuration Manager 2007 if both of the following conditions apply:
Your PKI infrastructure supports a CRL, and it is published where all Configuration Manager 2007 clients can locate it (including clients on the Internet if you are using Internet-based client management).
The requirement to check the CRL for each connection to a site system configured with a certificate is greater than the requirement for faster connections and efficient processing on the client, and is also greater than the risk of clients failing to connect to servers if they cannot locate the CRL.
注意
For more information about certificate revocation, see the section on managing certificate revocation in the Windows Server 2003 product help (https://go.microsoft.com/fwlink/?LinkId=78786).
Certificate revocation checking is enabled by default in IIS, so if you are using a CRL with your PKI deployment, there is nothing additional to configure on the Configuration Manager site systems.
Native mode mobile device clients do not use certificate revocation lists, although their certificates can be revoked and checked by native mode site systems.
See Also
Tasks
How to Enable or Disable Certificate Revocation Checking (CRL) on Clients
How to Block Configuration Manager Clients