Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2779
Views
0
Helpful
2
Replies

ACS 5.1, Retrieving the CRL list from MS Certification Authority

erick.whiteford
Level 1
Level 1

‎02-11-2011 03:55 AM - edited ‎03-10-2019 05:49 PM

Hi, I have a question regarding ACS and accessing the CRL list.

The default setting for a Microsoft CA is to publish a CRL list every week and to publish a delta CRL list daily.

When you setup the ACS to access the CRL list by supplying the URL (http://<ip_add>/CertEnroll/<CA_Name.crl) this will download the weekly, full update and not the daily update so, for instance, if the ACS downloads the CRL then a certificate is revoked 10 minutes later the ACS will not be in a position to refuse this certificate for another 7 days when it downloads the next CRL.

Equally I could specify the ACS to access the delta CRL http://<ip_add>/CertEnroll/<CA_Name.crl+, however, using this approach the ACS would never receive a full CRL when the device is restarted and could allow revoked certificates access.

Does the ACS do something in the background with the delta CRLs and I should have nothing to worry about or would it be an idea to modify the default CA timings to publish CRLs on a more regular basis?

Labels:
0 Helpful
2 Replies 2

slawford
Cisco Employee
Cisco Employee

‎02-17-2011 10:23 PM

Hi Erick,

On ACS 5.1 I see the option to set ACS to retreive the CRL at specified intervals.

In the screenshot below I have set it to obtain the CRL everyday.

By default, ACS will try to obtain the CRL five minutes before it's expiry.

Please let me know how you go, or if you have any questions.

Steve.

0 Helpful

erick.whiteford
Level 1
Level 1
In response to slawford

‎02-21-2011 03:33 AM

Steve, many thanks for your response.

To establish once and for all what happens, I setup a small test lab. Using Wireshark I established the ACS only looks to the main CRL list and not the daily delta update, therefore the scenario I had envisaged would have happened.

Equally the info you have supplied would lead to the same happening i.e. the same CRL list would be downloaded daily, and the certificate would only be revoked on the 7th day when the CA published the updated, main CRL list.

I have changed the publication of the CRL list to daily and disabled the publishing of the delta lists on the CA.

0 Helpful
Customers Also Viewed These Support Documents