FphcareEnginner
asked on
Why CRL will download automatically to NetScreen-Remote Client
Hi,
I have one user who always have the CRL downloads automatically into his NetScreen-Remote client which make his current certificate (should not be renew until end of the year) become invalid.
In order to resolve it, the user have to delete the CRL manually from CRLs tab under the Juniper Certificate Manager everytime when he disconnect from company network and connect to his ISP at home. Please see attached example screen shot of Certificate Manager.
I would like to know what settings will trigger the CRL downloading? Or some other settings on XP windows will causes the download? Kindly be advised that none of our VPN users have this problem but him.
For your information,
We have our own CA and using for certificate base authenticaion which link to our AD.
Our NetScreen-remote version is 10.8.3 (Build 6) and runs on XP.
If you have the similar problem and able to resolve, I would appreciate if you could share with me.
Thank you.
I have one user who always have the CRL downloads automatically into his NetScreen-Remote client which make his current certificate (should not be renew until end of the year) become invalid.
In order to resolve it, the user have to delete the CRL manually from CRLs tab under the Juniper Certificate Manager everytime when he disconnect from company network and connect to his ISP at home. Please see attached example screen shot of Certificate Manager.
I would like to know what settings will trigger the CRL downloading? Or some other settings on XP windows will causes the download? Kindly be advised that none of our VPN users have this problem but him.
For your information,
We have our own CA and using for certificate base authenticaion which link to our AD.
Our NetScreen-remote version is 10.8.3 (Build 6) and runs on XP.
If you have the similar problem and able to resolve, I would appreciate if you could share with me.
Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree with deimark - check to see if the cert is actually revoked (which may be why the CRL is giving problems...) and if not, revoke it an issue a new cert. If it becomes a bigger issue somehow, I would suggest trying on a different box, creating a new profile, using a different smartcard, etc. in case there is corruption or underlying hardware issues.
I highly recommend against disabling CRL checking - this is bad security practice - if you do this, why do you have certs in the first place?
I highly recommend against disabling CRL checking - this is bad security practice - if you do this, why do you have certs in the first place?
ASKER
Certificate-Manager.JPG