CRL checking problem windows 2003
Posted
by Tim Mahy
on Server Fault
See other posts from Server Fault
or by Tim Mahy
Published on 2010-06-04T06:27:54Z
Indexed on
2010/06/04
6:30 UTC
Read the original article
Hit count: 355
Hi all,
we have CRL that is valid for 24 hours and has a next update in 12 hours. The CRL is valid from 12:12 AM to 12:12 AM and from 12:12 PM to 12:12 PM.
In the logs of the CRL hosting webserver we see that one of our servers not always fetches the CRL at night, in most cases the server that missed the CRL IIS servers 403.16 on 12:13 PM.
Is our following theory good: when a windows server misses fetching the CRL on it's nextUpdate but the current CRL is still valid, the fetching is not retried? This leads to a situation that when the CRL expires there is no overlap and gives a little time of 403.16 situations in IIS since the CRL is not thrusted and so all certificates are marked als unsafe?
greetings, Tim
© Server Fault or respective owner