Why CRL will download automatically to NetScreen-Remote Client

Hi,

I have one user who always have the CRL downloads automatically into his NetScreen-Remote client which make his current certificate (should not be renew until end of the year) become invalid.

In order to resolve it, the user have to delete the CRL manually from CRLs tab under the Juniper Certificate Manager everytime when he disconnect from company network and connect to his ISP at home. Please see attached example screen shot of Certificate Manager.

I would like to know what settings will trigger the CRL downloading? Or some other settings on XP windows will causes the download? Kindly be advised that none of our VPN users have this problem but him.

For your information,
We have our own CA and using for certificate base authenticaion which link to our AD.
Our NetScreen-remote version is 10.8.3 (Build 6) and runs on XP.

If you have the similar problem and able to resolve, I would appreciate if you could share with me.

Thank you.
FphcareEnginnerAsked:
Who is Participating?
 
deimarkCommented:
First of all, see this link for some more info on the configuring of the cert etc in SNR and on the firewall, in case there is some discrepancies here.
http://kb.juniper.net/index?page=content&id=KB5510

Have you double checked the time and date on the firewall, the client and on the CA?  Just to make sure all are in sync?

Regarding the client cert itself, it may be worth revoking the current cert fully,  machines via an updated CRL and then re creating the user cert and installing that.

At the moment, I am unaware of any NSR related issues that could cause this, however generic CA and CRL problems may be contributing.
0
 
FphcareEnginnerAuthor Commented:
NSR Certificate Manager
Certificate-Manager.JPG
0
 
ParanormasticCryptographic EngineerCommented:
I agree with deimark - check to see if the cert is actually revoked (which may be why the CRL is giving problems...) and if not, revoke it an issue a new cert.  If it becomes a bigger issue somehow, I would suggest trying on a different box, creating a new profile, using a different smartcard, etc. in case there is corruption or underlying hardware issues.

I highly recommend against disabling CRL checking - this is bad security practice - if you do this, why do you have certs in the first place?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.