CDP location

TheMSsForum.com: The Microsoft Software Forum

I have a enterprise root and a enterprise subordinate certificate
authorities. Users obtain a cert from the subordinate. I also have ISA
2004, Exchange 2003 (w SP1).

My internal server name is server1.domain.com

I want to have external users look for the crl at secure.domain.com

I have published it in ISA 2004 to do that. I then removed the
server1.domain.com http link from the subordinate extensions and put a http
link to secure.domain.com in its place.

Now external exchange organizations with outlook 2003 cannot verify the CRL.
When they view the cert from their machine they can see the CDP, if they
copy and paste it to a browser, it opens the crl. Why isn't it automatically
working like it did when i left the default location and published it as is
through isa?

Thanks
Top

Re: CDP location by Phillip

Phillip
Wed Jun 22 15:28:17 CDT 2005

I'm no expert on Certs, but I believe in the case of web-base access they
are tied to the exact spelling of the URL. You change the spelling of the
URL, the Cert is no good anymore.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Wayne" <Wayne@discussions.microsoft.com> wrote in message
news:F12800FD-C564-4445-A1C3-15FE682883F2@microsoft.com...
> I have a enterprise root and a enterprise subordinate certificate
> authorities. Users obtain a cert from the subordinate. I also have ISA
> 2004, Exchange 2003 (w SP1).
>
> My internal server name is server1.domain.com
>
> I want to have external users look for the crl at secure.domain.com
>
> I have published it in ISA 2004 to do that. I then removed the
> server1.domain.com http link from the subordinate extensions and put a
http
> link to secure.domain.com in its place.
>
> Now external exchange organizations with outlook 2003 cannot verify the
CRL.
> When they view the cert from their machine they can see the CDP, if they
> copy and paste it to a browser, it opens the crl. Why isn't it
automatically
> working like it did when i left the default location and published it as
is
> through isa?
>
> Thanks


Top

Re: CDP location by Phillip

Phillip
Wed Jun 22 15:35:08 CDT 2005

"Phillip Windell" <@.> wrote in message
news:uEg6tj2dFHA.3808@TK2MSFTNGP14.phx.gbl...
> > I have published it in ISA 2004 to do that. I then removed the
> > server1.domain.com http link from the subordinate extensions and put a
> > http link to secure.domain.com in its place.

Since you effectively have two URLs in this process pointing to the same web
site it would require two Certs. One between the ISA and the Web server and
another Cert between the User and the ISA. Each Cert is tied to the spelling
of the URL in that particular section of the process.

One Cert for "server1.domain.com" (ISA -to- Webserver)
Another Cert for "secure.domain.com" (User -to- ISA)

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


Top

Re: CDP location by Wayne

Wayne
Thu Jun 23 07:51:02 CDT 2005

I'm not following you on why it would require 2 certs. Each user only get's
one cert.

I created the cert for user 1 with the default sub CA settings and published
server1.domain.com/certenroll/myca2.crl
Revocation worked fine.

I then went into the extenstions of sub CA and removed the default CDP and
replaced it with secure.domain.com/certenroll/myca2.crl
At this point I removed the ISA rule to publish the webserver and created a
new rule to send anything to secure.domain.com/certenroll/myca2.crl to the
website at server1.domain.com/certenroll/myca2.crl
Next I created a second user and got him a cert. The only CDP shown on his
cert (besides the ldap one) is for the secure.domain.com link.

Seems to me that when revocation checking it should go to the
secure.domain.com link and everything should be fine. I have checked the
link by cutting and pasting it into IE (it works) but outlook cannot verify
the revocation list.

"Phillip Windell" wrote:

> "Phillip Windell" <@.> wrote in message
> news:uEg6tj2dFHA.3808@TK2MSFTNGP14.phx.gbl...
> > > I have published it in ISA 2004 to do that. I then removed the
> > > server1.domain.com http link from the subordinate extensions and put a
> > > http link to secure.domain.com in its place.
>
> Since you effectively have two URLs in this process pointing to the same web
> site it would require two Certs. One between the ISA and the Web server and
> another Cert between the User and the ISA. Each Cert is tied to the spelling
> of the URL in that particular section of the process.
>
> One Cert for "server1.domain.com" (ISA -to- Webserver)
> Another Cert for "secure.domain.com" (User -to- ISA)
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
Top

Re: CDP location by Phillip

Phillip
Thu Jun 23 08:40:49 CDT 2005

I think you are running around in circles.

The Certs are tied to the URL being accessed. The user is *not* using the
same URL to access ISA as what ISA is using the pass the connection on the
the real site,...therefore you need two Certs. These articles explain this.

Digital Certificates for ISA Server 2004
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/digitalcertificates.mspx

Troubleshooting SSL Certificates in ISA Server 2004 Publishing
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/tscerts.mspx

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com



"Wayne" <Wayne@discussions.microsoft.com> wrote in message
news:CD11CEA3-8C65-44CB-AA68-7AB3038DD53A@microsoft.com...
> I'm not following you on why it would require 2 certs. Each user only
get's
> one cert.
>
> I created the cert for user 1 with the default sub CA settings and
published
> server1.domain.com/certenroll/myca2.crl
> Revocation worked fine.
>
> I then went into the extenstions of sub CA and removed the default CDP and
> replaced it with secure.domain.com/certenroll/myca2.crl
> At this point I removed the ISA rule to publish the webserver and created
a
> new rule to send anything to secure.domain.com/certenroll/myca2.crl to the
> website at server1.domain.com/certenroll/myca2.crl
> Next I created a second user and got him a cert. The only CDP shown on
his
> cert (besides the ldap one) is for the secure.domain.com link.
>
> Seems to me that when revocation checking it should go to the
> secure.domain.com link and everything should be fine. I have checked the
> link by cutting and pasting it into IE (it works) but outlook cannot
verify
> the revocation list.
>
> "Phillip Windell" wrote:
>
> > "Phillip Windell" <@.> wrote in message
> > news:uEg6tj2dFHA.3808@TK2MSFTNGP14.phx.gbl...
> > > > I have published it in ISA 2004 to do that. I then removed the
> > > > server1.domain.com http link from the subordinate extensions and put
a
> > > > http link to secure.domain.com in its place.
> >
> > Since you effectively have two URLs in this process pointing to the same
web
> > site it would require two Certs. One between the ISA and the Web server
and
> > another Cert between the User and the ISA. Each Cert is tied to the
spelling
> > of the URL in that particular section of the process.
> >
> > One Cert for "server1.domain.com" (ISA -to- Webserver)
> > Another Cert for "secure.domain.com" (User -to- ISA)
> >
> > --
> >
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> >
> >


Top

Re: CDP location by Wayne

Wayne
Thu Jul 07 15:36:04 CDT 2005

But the CRL site is HTTP, there is no certificate or HTTPS website on that
server. Therefore why would I need 2 certificates?



"Phillip Windell" wrote:

> I think you are running around in circles.
>
> The Certs are tied to the URL being accessed. The user is *not* using the
> same URL to access ISA as what ISA is using the pass the connection on the
> the real site,...therefore you need two Certs. These articles explain this.
>
> Digital Certificates for ISA Server 2004
> http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/digitalcertificates.mspx
>
> Troubleshooting SSL Certificates in ISA Server 2004 Publishing
> http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/tscerts.mspx
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
> "Wayne" <Wayne@discussions.microsoft.com> wrote in message
> news:CD11CEA3-8C65-44CB-AA68-7AB3038DD53A@microsoft.com...
> > I'm not following you on why it would require 2 certs. Each user only
> get's
> > one cert.
> >
> > I created the cert for user 1 with the default sub CA settings and
> published
> > server1.domain.com/certenroll/myca2.crl
> > Revocation worked fine.
> >
> > I then went into the extenstions of sub CA and removed the default CDP and
> > replaced it with secure.domain.com/certenroll/myca2.crl
> > At this point I removed the ISA rule to publish the webserver and created
> a
> > new rule to send anything to secure.domain.com/certenroll/myca2.crl to the
> > website at server1.domain.com/certenroll/myca2.crl
> > Next I created a second user and got him a cert. The only CDP shown on
> his
> > cert (besides the ldap one) is for the secure.domain.com link.
> >
> > Seems to me that when revocation checking it should go to the
> > secure.domain.com link and everything should be fine. I have checked the
> > link by cutting and pasting it into IE (it works) but outlook cannot
> verify
> > the revocation list.
> >
> > "Phillip Windell" wrote:
> >
> > > "Phillip Windell" <@.> wrote in message
> > > news:uEg6tj2dFHA.3808@TK2MSFTNGP14.phx.gbl...
> > > > > I have published it in ISA 2004 to do that. I then removed the
> > > > > server1.domain.com http link from the subordinate extensions and put
> a
> > > > > http link to secure.domain.com in its place.
> > >
> > > Since you effectively have two URLs in this process pointing to the same
> web
> > > site it would require two Certs. One between the ISA and the Web server
> and
> > > another Cert between the User and the ISA. Each Cert is tied to the
> spelling
> > > of the URL in that particular section of the process.
> > >
> > > One Cert for "server1.domain.com" (ISA -to- Webserver)
> > > Another Cert for "secure.domain.com" (User -to- ISA)
> > >
> > > --
> > >
> > > Phillip Windell [MCP, MVP, CCNA]
> > > www.wandtv.com
> > >
> > >
> > >
>
>
>
Top