A CRL is simply a list of serial numbers in a simple text file basically and is
no way a problem to expose to the Internet. This can be on *any* Internet
accessible web server.
OCSP is still something exposed to the Internet – it’s a proxy of sorts for
accessing revoked cert info. The main reason for OCSP is so you don’t have to
hard-code specific URLs for the CDPs into the certificates.
No, domain join is not enough for Internet client. How is a client on Internet
going to access your AD? If it could do that, you’ve either got bigger security
issues and/or no reason to use IBCM/CMG in the first place.
You can always simply disable client CRL checking in ConfigMgr. This is
actually what most folks do. From a strict security stand-point, this isn’t a
recommended thing to do, but in this case, the certificates being used are a
means to an end and aren’t being used to revoke access to the ConfigMgr
infrastructure (which is truly the only thing you lose by disabling CRL
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of James Massardo
Sent: Friday, January 13, 2017 7:48 AM
Subject: [mssms] RE: PKI Question for Cloud Management Gateway and Azure
OCSP would be a better option than exposing the CRL to the outside.
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kevin Kaminski
Sent: Thursday, January 12, 2017 1:51 PM
Subject: [mssms] PKI Question for Cloud Management Gateway and Azure
The e-mail below is from an external source. Please do not open attachments or
click links from an unknown or suspicious origin.
I have a customer that is reluctant to change their PKI infrastructure to have
an Internet exposed CRL. If I want to use their enterprise CA wouldn’t this be
a requirement or would joining them to the domain be good enough so they can
get their CRL through that mechanism?
NOTICE: This electronic mail message and any files transmitted with it are
exclusively for the individual or entity to which it is addressed. The message,
together with any attachment, may contain confidential and/or privileged
Any unauthorized review, use, printing, saving, copying, disclosure or
is strictly prohibited. If you have received this message in error, please
immediately advise the sender by reply email and delete all copies.