Problems with certificates. Public Key Infrastructure (PKI) RRS feed

  • Question

  • We are testing using Smartcard logon.
    Our server is Windows 2003 and the client computers are Windows XP and 7 machines. We raise AD, IIS and CA on server 2003. and all client computers are in the domain.
    We can successfully use the smartcard to logon.
    Now We revoked a certificate and have created a CRL which contains the revoked certificate information. And have published the revoked certificates.
    And it was successfull (when user tried to log on using token, then there was written that your certificate has been revoked). We have changed the system time(in CA server). Then we unrevoked certificate. But user couldn’t log on. I tried it many time, when the system time is being changed manually then CRL update problems appears. When a user certificate is valid user can not log on or vice versa, when a user certificate is not valid, he can log on. Everything is working properly till system time is being changed. I think when system time is being changed on the server the client computer can not update the CRL. And that's why such problems appear. I want it to work properly despite my changing TIME

    My questions:
    How to force on the client side to update CRL after changing system time? Can I manage this remotely from the server or from Group policy? We may be have in our environment 100-200 clients and I must do it on every client side manually? It will be very difficult and annoying.

    http://support.microsoft.com/kb/281245 ther is title about Revocation cheking problems. And there have written that "Revocation check for the built in revocation providers cannot be turned off. If a custom installable revocation provider is installed, It must be turned on." What does it mean? If I use the third party certification authority I must turn on revocation cheking manually? And how can I do it? Where is it turning on?

    Thanks a lot!

    Friday, December 3, 2010 1:05 PM