Troubleshooting Publication Points

The misconfiguration of CA certificate and CRL publication points is the most common error in a PKI. If the publication points are referenced incorrectly, certificate validation errors, CA failures, issuance failures, logon failures, and so on can result.

To prevent publication errors from occurring on your network, you should use tools to ensure that the publication points are configured correctly. The following tools are available for validating the AIA and CDP URLs:

■ CryptoAPI Monitor (CAPIMON)

Note If the certificate chaining engine cannot find an updated CRL as referenced in the CDP extension of a certificate, the chaining engine invalidates the certificate with a revocation status: "Cannot determine the revocation status of the certificate." Most applications consider this revocation status (also known as the revocation unknown status code) to be the equivalent of a revoked certificate when strong CRL checking is enabled because it is safer to reject the certificate than to accept a revoked certificate.

Was this article helpful?

0 0

Post a comment