Question on autoenrollment process with revoked certificate

Question on autoenrollment process with revoked certificate
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Question on autoenrollment process with revoked certificate aherugu 04-01-2007
Posted by aherugu on April 1, 2007, 2:03 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

Hi all,

I work for VeriSign. I have an issue on autoenrollment which I need
your inputs on. I am not sure if this is the right forum to ask. But
being a new person I am not sure where to post this question (this is
my first post). It will be of great help if someone can answer here
and/or guide me to the right forum.

BACKGROUND INFORMATION

We have a VeriSign DCOM server which comes into picture during
autoenrollment. This manages the CAs, templates assigned to CAs, certs
issued, certs revoked etc. We have an MMC snap-in for this.

I am using Win2003 SP1 server and IE6 browser. I have setup
autoenrollment feature which is working fine for all regular cases. I
have a few certificates (based on the templates) issued to me through
the autoenrollment process. These certificates can be seen in the
issued certs area of our MMC snap-in (as refreshed / obtained from the
backend that issues certificates and stores the revoked, expired
certificates). These certificates are also installed in the CAPI store
and can be seen from IE.

PROBLEM DEFINITION

If I revoke one such certificate using the MMC snap-in, it gets revoked
at the backend and gets refreshed in the revoked certificate area of the
MMC snap-in also and also getting removed from the issued certificate
area. These areas are refreshed / obtained from the backend. I can also
see at the backend that this particular certificate is published in the
CRL list of the CA using which this certificate was issued in the first
place based on a particular template assigned to this CA. But this
certificate does not get removed from the CAPI store (on the client
side) and can still be seen from IE.

QUESTION

With the above mentioned setup, when I relogin at the client side, the
autoenrollment process doesn't kick in and does not request the backend
for a new certificate to be issued. But if I manually remove this
certificate from IE (CAPI store) and then relogin, the autoenrollment
process identifies that this certificate is not installed and requests
for a new certificate and get it too from the backend and installs it
too.

Is this an expected behaviour or is it a bug somewhere (policy or setup
or autoenrollment process or our snap-in). The reason I ask is since I
looked in the autoenrollment documentation on Microsoft site
(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx).
In the “Revoked Certificates and Renewal” section they say this:
“Revoked certificates may not be renewed and may not be used to sign a
renewal request. This scenario is explicitly blocked by autoenrollment.
In this scenario, a user must perform a new manual enrollment request
instead of renewal.”

I personally thought that the autoenrollment process should
automatically kick in upon relogin since the certificate is no longer
in the issued certificate area. Not sure why this is not happening – it
seems the right behaviour based on the Microsoft documentation. And
autoenrollment is happening upon relogin when I manually remove the
certificate from IE store though.

Can someone throw some light on this to help us understand the way
autoenrollment should behave with respect to what I have told?

Thanks in advance,
Ananth.


--
aherugu
------------------------------------------------------------------------
aherugu's Profile: http://forums.techarena.in/member.php?userid=24103
View this thread: http://forums.techarena.in/showthread.php?t=717581

http://forums.techarena.in


Posted by Paul Adare on April 1, 2007, 3:47 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On Sun, 1 Apr 2007 23:33:03 +0530, aherugu wrote:

> I work for VeriSign. I have an issue on autoenrollment which I need
> your inputs on. I am not sure if this is the right forum to ask. But
> being a new person I am not sure where to post this question (this is
> my first post). It will be of great help if someone can answer here
> and/or guide me to the right forum.

You posted he exact same questio yesterday in this forum and that post has
already been answered.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea

Similar ThreadsPosted
Question on autoenrollment process with revoked certificate. April 1, 2007, 4:01 am
Re: Certificate Autoenrollment June 14, 2005, 4:20 pm
Digital Certs - Revoked - Register Quicker? April 25, 2006, 12:50 pm
Certificate Request Question March 3, 2006, 10:31 am
Basic EFS Certificate Question April 12, 2006, 11:47 am
Certificate install question February 27, 2007, 10:55 am
Certificate store question February 4, 2008, 1:01 pm
Newbie Client Certificate Question December 1, 2006, 2:22 pm
PKI Question - User Certificate Renewal February 21, 2008, 4:56 pm
Question about pkiview.msc Root Certificate Expiring February 15, 2008, 4:16 am

The site map in XML format XML site map

Contact Us | Privacy Policy