Solved

CRL does not automatically renew under Windows

Posted on 2009-04-15
8
1,032 Views
Last Modified: 2012-05-06
One of my sites is behind a proxy server. At that site, some computers (a couple of XP machines, a Vista laptop, and now our new Server 2008) do not update their Verisign CRLs. These machines are not on a domain. I have been unable to find any information on how this mechanism works, or how to trigger it manually. Other machines at the site seem to be fine.

This is a major issue for us, because we use Patchlink over https. When that CRL becomes invalid, Patchlink stops working until I manually import the certificate by downloading it from Verisign and installing it by hand. Anyone have any ideas?

Thanks!
Ken
0
Comment
Question by:yunbukogar
  • 4
  • 3
8 Comments
 
LVL 31

Expert Comment

by:Paranormastic
Comment Utility
This should be an automatic process.  The CRL has a 'next update' tag within it, instructing the client when they should start looking for the next CRL.  If this is not being downloaded automatically, I would suspect that your firewall is blocking the traffic.  Typically the CRL will be pushed over http (TCP port 80).
0
 

Author Comment

by:yunbukogar
Comment Utility
Hi Paranormastic, I was thinking the same thing. What I can't figure out is why some work, but some don't. I also don't know what server the serves the CRL. Anyone have any idea or some idea how to find out? Is it as simple as http://crl.verisign.com?
0
 
LVL 31

Expert Comment

by:Paranormastic
Comment Utility
Assuming its the same as the one for the cert they use on their own site, it would be:
http://EVIntl-crl.verisign.com/EVIntl2006.crl

You can look at your certificate's properties and on the Details tab look for CRL Distribution Point (CDP) attribute and select that.  In the box in the bottom half it will show where the CDP location(s) are.

You can also try: internet options - content tab - Clear SSL State

Can also try clearing temp internet files, history, etc. and if there is a proxy to clear that out - maybe some servers are set to use a proxy and some aren't and the proxy is serving a stale copy of the CRL.
0
 
LVL 31

Expert Comment

by:Paranormastic
Comment Utility
Even if your hardware firewall is set up correctly, don't forget about any software firewalls that you might have installed, too ;)
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Expert Comment

by:greenhelmet
Comment Utility
Hi Ken,
Can the infected computers reach the internet? Is this problem located to only computers not joined to the domain? If so it could your proxy settings are not configured correctly on the affected machines.

Also, opening the local computer certificate store through the mmc -> certificates, in the details fan, you shold be able to see the CRL distribution points. Try copy/paste the URL's into Iexplorer and see if you get a download CRL prompt...or perhaps an error indicating the issue.

Cheers,
Greenhelmet
 
0
 

Author Comment

by:yunbukogar
Comment Utility
Hi guys,

If I download the CRL manually, it works fine. I do have to install it by hand into the physical store, but it works until it expires again. AFAIK, the proxy is correct (or at least the same on computers that have the problem and computers that don't.)
0
 

Author Comment

by:yunbukogar
Comment Utility
Hi Greenhelmet,

I'm looking at the mmc/certificates now, and I have the CRL. I don't see any CRL distribution points listed, but if I go to the website of my server, I can get the CDP there.

Looking at the cert in the mmc, it says the next update is Wednesday, April 29, 2009, 12:15:29 PM, exactly 2 weeks since I last installed it.

I'm thinking perhaps it tries to update certs using the localsystem account, which does not have a proxy set up for it. Is there any way to set that up--or set it up for the account it does use?
0
 

Accepted Solution

by:
yunbukogar earned 0 total points
Comment Utility
OK, I've fixed it--I had to use net winhttp set proxy yadda yadda. Apparently the CRL function operates under winhttp, not under the IE proxy settings.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now