Hello,
I have built a lab environment - based on 2008 R2. I have created a basic two tier PKi solution - one offline Root CA and an issuing CA. Based on my limited knowledge this seems to be working well - I have distributed the public cert to clients as a trusted root CA using group policies and can issue internal certs for use on web services, appliances etc.
I have also created a certificate template for remote desktop services and again distributed this to selected servers in my lab using group policy. Again, this seems to work well - connecting to servers from a Windows 7 client in the domain works well.
My quetsion is around connecting to servers from non domain clients. As a non domain member will not trust the root CA I expect to see an error around this - however clients refuse to connect with the attached error message - "A revocation check could not be performaned for the certificate."
I imagine this is because as the client is not a domain member it can't check against the CRL published from the issuing CA. I've configured the CDP extension on the issuing CA with LDAP, HTTP and File locations but presumably this non domain member is unable to check against any of these.
My question is - what do i need to configure in order for my non domain member to be able to check the CRL?
My knowledge of Windows Server PKI is a bit patchy so grateful for any advice received.
Thanks
Chris