Determine Whether You Need to Enable Certificate Revocation Checking (CRL) On Clients (Native Mode)
Updated: June 1, 2009
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
The certificate revocation list (CRL) is an optional component of a public key infrastructure (PKI) deployment. It is a file that is created and signed by a certification authority and contains a list of certificates that it has issued but revoked. Certificates can be revoked by a certification authority administrator, for example, if an issued certificate is known or suspected to be compromised.
When a CRL is used with a PKI deployment, applications can check the revocation status of the certificates they are using and of the certificates that chain to the trusted root certification. This check is made by ensuring all certificates in the chain are not listed on the CRL. If any of these certificates are listed on the CRL, the certificate used by the application is considered invalid, even though it comes from a trusted source and is within its validity period.
If certificate revocation checking is enabled for Configuration Manager 2007 native mode clients, they will check the CRL whenever they communicate with one of the following site systems configured for native mode:
Distribution points that are not using a site system share, or configured as branch distribution points
Software update points
State migration points
|Client functions that run as a result of task sequence actions always check the CRL when the client is running versions prior to Configuration Manager 2007 SP2.|
If clients are using certificate revocation checking but they fail to locate the CRL, they behave as if all certificates in the certification chain are revoked because their absence from the list cannot be verified. In this scenario, all connections that require certificates and use a CRL will fail, and the Configuration Manager 2007 client will send an error message to its fallback status point.
Checking the CRL each time a certificate is used offers more security against using a certificate that has been revoked, but it introduces a connection delay and additional processing on the client. You are more likely to require this additional security check for Internet-based client management than for native mode sites that are contained within the intranet.
The default setting for CRL checking in a Configuration Manager site depends on whether the site was installed in native mode or was installed in mixed mode and then migrated to native mode. CRL checking for clients is enabled by default when the Configuration Manager site is installed in native mode and is disabled by default when the Configuration Manager site is installed in mixed mode and then migrated to native mode.
Consult your PKI administrators before deciding whether to enable certificate revocation checking on clients, and then consider enabling this option in Configuration Manager 2007 if both of the following conditions apply:
Your PKI infrastructure supports a CRL, and it is published where all Configuration Manager 2007 clients can locate it (including clients on the Internet if you are using Internet-based client management).
The requirement to check the CRL for each connection to a site system configured with a certificate is greater than the requirement for faster connections and efficient processing on the client, and is also greater than the risk of clients failing to connect to servers if they cannot locate the CRL.
|For more information about certificate revocation, see the section on managing certificate revocation in the Windows Server 2003 product help (http://go.microsoft.com/fwlink/?LinkId=78786).|
Certificate revocation checking is enabled by default in IIS, so if you are using a CRL with your PKI deployment, there is nothing additional to configure on the Configuration Manager site systems.
Native mode mobile device clients do not use certificate revocation lists, although their certificates can be revoked and checked by native mode site systems.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.