Question on autoenrollment process with revoked certificate.

Question on autoenrollment process with revoked certificate.
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Question on autoenrollment process with revoked certificate. aherugu 04-01-2007
Posted by aherugu on April 1, 2007, 4:01 am
If you were  Registered and logged in, you could reply and use other advanced thread options

Hi all,

I work for VeriSign. I have an issue on autoenrollment which I need
your inputs on. I am not sure if this is the right forum to ask. But
being a new person I am not sure where to post this question (this is
my first post). It will be of great help if someone can answer here
and/or guide me to the right forum.

BACKGROUND INFORMATION

We have a VeriSign DCOM server which comes into picture during
autoenrollment. This manages the CAs, templates assigned to CAs, certs
issued, certs revoked etc. We have an MMC snap-in for this.

I am using Win2003 SP1 server and IE6 browser. I have setup
autoenrollment feature which is working fine for all regular cases. I
have a few certificates (based on the templates) issued to me through
the autoenrollment process. These certificates can be seen in the
issued certs area of our MMC snap-in (as refreshed / obtained from the
backend that issues certificates and stores the revoked, expired
certificates). These certificates are also installed in the CAPI store
and can be seen from IE.

PROBLEM DEFINITION

If I revoke one such certificate using the MMC snap-in, it gets revoked
at the backend and gets refreshed in the revoked certificate area of the
MMC snap-in also and also getting removed from the issued certificate
area. These areas are refreshed / obtained from the backend. I can also
see at the backend that this particular certificate is published in the
CRL list of the CA using which this certificate was issued in the first
place based on a particular template assigned to this CA. But this
certificate does not get removed from the CAPI store (on the client
side) and can still be seen from IE.

QUESTION

With the above mentioned setup, when I relogin at the client side, the
autoenrollment process doesn't kick in and does not request the backend
for a new certificate to be issued. But if I manually remove this
certificate from IE (CAPI store) and then relogin, the autoenrollment
process identifies that this certificate is not installed and requests
for a new certificate and get it too from the backend and installs it
too.

Is this an expected behaviour or is it a bug somewhere (policy or setup
or autoenrollment process or our snap-in). The reason I ask is since I
looked in the autoenrollment documentation on Microsoft site
(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx).
In the “Revoked Certificates and Renewal” section they say this:
“Revoked certificates may not be renewed and may not be used to sign a
renewal request. This scenario is explicitly blocked by autoenrollment.
In this scenario, a user must perform a new manual enrollment request
instead of renewal.”

I personally thought that the autoenrollment process should
automatically kick in upon relogin since the certificate is no longer
in the issued certificate area. Not sure why this is not happening – it
seems the right behaviour based on the Microsoft documentation. And
autoenrollment is happening upon relogin when I manually remove the
certificate from IE store though.

Can someone throw some light on this to help us understand the way
autoenrollment should behave with respect to what I have told?

Thanks in advance,
Ananth.


--
aherugu
------------------------------------------------------------------------
aherugu's Profile: http://forums.techarena.in/member.php?userid=24103
View this thread: http://forums.techarena.in/showthread.php?t=717412

http://forums.techarena.in


Posted by Paul Adare on April 1, 2007, 4:50 am
If you were  Registered and logged in, you could reply and use other advanced thread options
On Sun, 1 Apr 2007 13:31:53 +0530, aherugu wrote:

> I personally thought that the autoenrollment process should
> automatically kick in upon relogin since the certificate is no longer
> in the issued certificate area. Not sure why this is not happening – it
> seems the right behaviour based on the Microsoft documentation. And
> autoenrollment is happening upon relogin when I manually remove the
> certificate from IE store though.
>
> Can someone throw some light on this to help us understand the way
> autoenrollment should behave with respect to what I have told?

What you are seeing is exactly how it is designed to work. The client has
no idea that the certificate is revoked as it doesn't need to. The owner of
the certificate is not the relying party and therefore no revocation
checking is done.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea

Posted by aherugu on April 2, 2007, 10:39 am
If you were  Registered and logged in, you could reply and use other advanced thread options

Hi Paul and Brian,

Sorry for posting my original message in multiple areas since I was not
sure
where to post it. But thanks much for your post.

I was reading more into the Microsoft documentation regarding this
issue. Here's
what they say:

Section in MS documentation: *Deleting Expired and Revoked
Certificates*

"Autoenrollment deletes expired and revoked certificates in the
userCertificate
attribute on the user object in Active Directory. This
feature can be enabled
through user or machine Group Policy to help
ensure that only valid and active
certificates are used for encryption
operations.

The exit module on the Windows Server 2003 CA also helps to manage the
user
account in Active Directory, but only deletes expired
certificates; it does not
remove revoked certificates due to
performance reasons. In general, there is no
value in publishing a
signing certificate to the user object in Active
Directory, except for
purposes of record keeping."

Here they are talking about deleting revoked certificates. If the
autoenrollment
client does not know which is a revoked cert, how can it
delete it from the
userCertificate attribute on the user object in
Active Directory? Or is it some
other component of the autoenrollment
which does it. If so, which component?

Thanks,
Ananth.


--
aherugu
------------------------------------------------------------------------
aherugu's Profile: http://forums.techarena.in/member.php?userid=24103
View this
thread: http://forums.techarena.in/showthread.php?t=717412

http://forums.techarena.in


Similar ThreadsPosted
Question on autoenrollment process with revoked certificate April 1, 2007, 2:03 pm
Re: Certificate Autoenrollment June 14, 2005, 4:20 pm
Digital Certs - Revoked - Register Quicker? April 25, 2006, 12:50 pm
Certificate Request Question March 3, 2006, 10:31 am
Basic EFS Certificate Question April 12, 2006, 11:47 am
Certificate install question February 27, 2007, 10:55 am
Certificate store question February 4, 2008, 1:01 pm
Newbie Client Certificate Question December 1, 2006, 2:22 pm
PKI Question - User Certificate Renewal February 21, 2008, 4:56 pm
Question about pkiview.msc Root Certificate Expiring February 15, 2008, 4:16 am

The site map in XML format XML site map

Contact Us | Privacy Policy