Manage Network Retrieval and Path Validation

  • Article

Applies To: Windows Server 2008

To be effective, certificate-related data such as trusted root certificates, cross- certificates, and certificate revocation lists must be updated in a timely manner. Network retrieval and path validation settings allow administrators to:

  • Automatically update certificates in the Microsoft Root certificate Program

  • Configure retrieval timeout values for certificate revocation lists (CRLs) and path validation (larger default values may be useful if network conditions are not optimal)

  • Enable issuer certificate retrieval during path validation

  • Define how frequently cross-certificates are downloaded.

Managing CRL retrieval

Obtaining timely certificate-revocation data is an important element in secure certificate use. However, problems can arise if validation checking and retrieval of certificate revocation data and cross-certificates time out because more data is being transferred than originally anticipated.

Network retrieval options in public key Group Policy allow administrators to manage network retrieval timeout values.

Administrators is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.

To increase the retrieval timeout option for large CRLs for a local computer

  1. Click Start, click Start Search, type mmc, and then press ENTER.

  2. On the File menu, click Add/Remove Snap-in.

  3. Under Available snap-ins, click Local Group Policy Object Editor, click Add, and then click Finish.

  4. If you have no more snap-ins to add to the console, click OK.

  5. In the console tree, go to Local Computer Policy, Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

  6. Double-click Certificate Path Validation Settings, and then click the Network Retrieval tab.

  7. Select the Define these policy settings check box.

  8. Under Default retrieval timeoutsettings, enter a timeout value in the Default URL retrieval timeout (in seconds) box, and then click OK to apply the new settings.

Domain Administrators is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.

To increase the retrieval timeout option for large CRLs for a domain

  1. Open Server Manager, and under Features Summary, click Add Features. Select the Group Policy Management check box, click Next, and then click Install.

  2. After the Installation Results page shows that the installation of the Group Policy Management Console (GPMC) was successful, click Close.

  3. Click Start, point to Administrative Tools, and then click Group Policy Management.

  4. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

  5. Right-click the Default Domain Policy GPO, and then click Edit.

  6. In the GPMC, go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

  7. Double-click Certificate Path Validation Settings, and then click the Network Retrieval tab.

  8. Select the Define these policy settings check box.

  9. Under Default retrieval timeoutsettings, enter a timeout value in the Default URL retrieval timeout (in seconds) box, and then click OK to apply the new settings.

Additional considerations

  • Group Policy options can only be changed by an administrator.