Hello All
Can someone please help me with the following question :)
I setup a LAB where by I have a Windows 2003 R2 AD and Windows 2003 R2 Enterprise Root CA (will upgrade the lab the 2012 R2 later), and a Windows 2012 R2 IIS Server with a Test WEB Site. I also have a Windows 7 Client in the lab running the current version of Internet Explorer e.g. version 11.x
I created and CSR > Cert from the CA and bound it to the WEB site, so I can go tohttps://TestSite no problem and if you click in the padlock it tells you about the certificate and who issued it etc.
When I look at the Certificate I can see the CDP information and using ADSIEDIT I can see the relevant object in the AD configuration container. So again all looks fine.
Next from the Certificate Authority MMC snapin on the CA I revoked the Certificate, after which I chose the option to publish a new CRL
Problem:
However when I use IE (or FireFox for that matter) I can still go to https://TestSite and there are no warnings about the Certificate having been revoked. I understand the client caches the CRL and does not always go and get a new one, when a new one is published but rather waits for its local cache to expire (a good reason for using OCSP I believe).
Is the reason the WEB Brower still shows the page due to the fact the CRL cache on the client is still active and needs to be refreshed from the CRL in AD?
if so how can I force the Brower to do this and it there a registry key (or GPO) to say do not cache CRLs?
For better security I guess I would be better of setting up OCSP Server?
If I setup OCSP, will I therefore need to remove the CRL and will IE/Firefox know how to check with OSCP when opening a WEB Site, or do I have to configure Windows/IE etc. via GPO to tell it to use OCSP?
Sorry for the several questions, I would appreciate it if someone could help me out with the answers, thanks in advance.
Thanks All
AAnotherUser__
AAnotherUser__