Partager via


Manage Revocation Checking Policy

Applies To: Windows Server 2008

Revocation of a certificate invalidates a certificate as a trusted security credential prior to the natural expiration of its validity period. A public key infrastructure (PKI) depends on distributed verification of credentials in which there is no need for direct communication with the central trusted entity that vouches for the credentials.

To effectively support certificate revocation, the client must determine whether the certificate is valid or has been revoked. To support a variety of scenarios, Certificate Services supports industry-standard methods of certificate revocation.

These include publication of certificate revocation lists (CRLs) and delta CRLs in several locations for clients to access, including the Active Directory directory service, Web servers, and network file shares. In Windows, revocation data can also be made available in a variety of settings through online certificate status protocol (OCSP) responses.

Note

CRLs are published to specified network locations on a periodic basis where they can be downloaded by requesting clients. OCSP responses are digitally-signed responses indicating whether an individual certificate has been revoked or suspended, of it its status is unknown. OCSP responders get their data from published CRLs, or they can be updated directly from the certificate status database of a certification authority (CA).

In addition, public key Group Policy allows administrators to enhance the use of CRLs and online responders, particularly in situations where extremely large CRLs or network conditions detract from performance.

Administrators is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.

To configure revocation settings on a local computer

  1. Click Start, click Start Search, type mmc, and then press ENTER.

  2. On the File menu, click Add/Remove Snap-in.

  3. Under Available snap-ins, click Local Group Policy Object Editor, click Add, and then click Finish.

  4. If you have no more snap-ins to add to the console, click OK.

  5. In the console tree, go to Local Computer Policy, Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

  6. Double-click Certificate Path Validation Settings, and then click the Revocation tab.

  7. Select the Define these policy settings check box, select the policy options you want, and then click OK to apply the new settings.

Domain Administrators is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.

To configure revocation settings for a domain

  1. Open Server Manager, and under Features Summary, click Add Features. Select the Group Policy Management check box, click Next, and then click Install.

  2. After the Installation Results page shows that the installation of the Group Policy Management Console (GPMC) was successful, click Close.

  3. Click Start, point to Administrative Tools, and then click Group Policy Management.

  4. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

  5. Right-click the Default Domain Policy GPO, and then click Edit.

  6. In the GPMC, go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

  7. Double-click Certificate Path Validation Settings, and then click the Revocation tab.

  8. Select the Define these policy settings check box, select the policy options you want, and then click OK to apply the new settings.

Administrators is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.

To extend the validity period for CRL and OCSP responses for a local computer

  1. Click Start, click Start Search, type mmc, and then press ENTER.

  2. On the File menu, click Add/Remove Snap-in.

  3. Under Available snap-ins, click Local Group Policy Object Editor, click Add, and then click Finish.

  4. If you have no more snap-ins to add to the console, click OK.

  5. In the console tree, go to Local Computer Policy, Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

  6. Double-click Certificate Path Validation Settings, and then click the Revocation tab.

  7. Select the Define these policy settings check box, and then select the Allow CRL and OCSP responses to be valid longer than their lifetime check box.

  8. In the Default time the validity period can be extended box, and enter a value of time (in hours), and then click OK to apply the new settings.

Domain Administrators is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.

To extend the validity period for CRL and OCSP responses for a domain

  1. Open Server Manager, and under Features Summary, click Add Features. Select the Group Policy Management check box, click Next, and then click Install.

  2. After the Installation Results page shows that the installation of the GPMC was successful, click Close.

  3. Click Start, point to Administrative Tools, and then click Group Policy Management.

  4. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy GPO that you want to edit.

  5. Right-click the Default Domain Policy GPO, and then click Edit.

  6. In the GPMC, go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

  7. Double-click Certificate Path Validation Settings, and then click the Revocation tab.

  8. Select the Define these policy settings check box, and then select the Allow CRL and OCSP responses to be valid longer than their lifetime check box.

  9. In the Default time the validity period can be extended box, enter a value of time (in hours), and then click OK to apply the new settings.

Additional considerations

  • You must be an administrator to modify Group Policy settings.