Certificate Revocation List Checking

As you learned in Chapter 7, certificate servers issue Certificate Revocation Lists (CRLs) to update clients when certificates are revoked. For a client computer to validate a certificate completely, it must check the CRL to verify that the certificate has not been revoked by the issuer. Because the standards for checking CRLs were still evolving when Windows 2000 was released, computers running Windows 2000 do not automatically check CRLs for certificates used in IPSec authentication. If you plan to use certificates for IPSec authentication and have computers running Windows 2000 on your network, you should enable CRL checking.

To enable CRL checking on computers running Windows 2000:

1. Under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\, add a key named Oakley.

2. Inside the new Oakley key, add a DWORD entry named StrongCrlCheck.

3. Assign the StrongCrlCheck entry any value from 0 through 2, where:

□ A value of 0 disables CRL checking (default for Windows 2000).

□ A value of 1 causes CRL checking to be attempted and certificate validation to fail only if the certificate is revoked (default for Windows XP Professional and Windows Server 2003). Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail.

□ A value of 2 enables strong CRL checking, which means that CRL checking is required and that certificate validation fails if any error is encountered during CRL processing. Set this registry value for enhanced security.

4. Open a command prompt, run the command net stop policyagent, and then type net start policyagent to restart the IPSec-related services.

Windows XP Professional and Windows Server 2003 do automatically check CRLs when authenticating IPSec connections. However, you might want to disable this

Exam Tip This chapter will not provide detailed documentation for the dozens of Netsh commands relating to configuring and monitoring IPSec policies. For the exam, you should be familiar with the types of things you can use Netsh for. Explore the commands by reviewing the Netsh documentation in Windows Help And Support Center. However, do not feel like you need to memorize the syntax of all the Netsh commands. Even if you use Netsh to create scripts in the real world, you shouldn't waste brain cells memorizing the parameters—just refer to them as needed.

behavior if you identify CRL checking as the cause of a problem. To disable CRL checking, open a command prompt and run the following command:

netsh ipsec dynamic set config strongcrlcheck 0

Security Alert IPSec CRL checking does not guarantee that certificate validation fails immediately when a certificate is revoked. There is a delay between the time when the revoked certificate is placed on an updated and published CRL and the time when the computer that performs the IPSec CRL checking retrieves this CRL. The computer does not retrieve a new CRL until the current CRL has expired or until the next time the CRL is published. For more information about CRLs, refer to Chapter 7.

Was this article helpful?

0 0
Advance SEO Techniques

Advance SEO Techniques

Turbocharge Your Traffic And Profits On Auto-Pilot. Would you like to watch visitors flood into your websites by the 1,000s, without expensive advertising or promotions? The fact is, there ARE people with websites doing exactly that right now. How is that possible, you ask? The answer is Advanced SEO Techniques.

Get My Free Ebook


  • aristide
    How to enable strongcrlcheck in ipsec?
    1 year ago

Post a comment