A CRL is simply a list of serial numbers in a simple text file basically and is no way a problem to expose to the Internet. This can be on *any* Internet accessible web server.
OCSP is still something exposed to the Internet – it’s a proxy of sorts for accessing revoked cert info. The main reason for OCSP is so you don’t have to hard-code specific URLs for the CDPs into the certificates. No, domain join is not enough for Internet client. How is a client on Internet going to access your AD? If it could do that, you’ve either got bigger security issues and/or no reason to use IBCM/CMG in the first place. You can always simply disable client CRL checking in ConfigMgr. This is actually what most folks do. From a strict security stand-point, this isn’t a recommended thing to do, but in this case, the certificates being used are a means to an end and aren’t being used to revoke access to the ConfigMgr infrastructure (which is truly the only thing you lose by disabling CRL checking). J From: [email protected] [mailto:[email protected]] On Behalf Of James Massardo Sent: Friday, January 13, 2017 7:48 AM To: [email protected] Subject: [mssms] RE: PKI Question for Cloud Management Gateway and Azure Distribution Point OCSP would be a better option than exposing the CRL to the outside. https://technet.microsoft.com/en-us/library/cc770413(v=ws.10).aspx Thanks, James Massardo From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kevin Kaminski Sent: Thursday, January 12, 2017 1:51 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] PKI Question for Cloud Management Gateway and Azure Distribution Point The e-mail below is from an external source. Please do not open attachments or click links from an unknown or suspicious origin. I have a customer that is reluctant to change their PKI infrastructure to have an Internet exposed CRL. If I want to use their enterprise CA wouldn’t this be a requirement or would joining them to the domain be good enough so they can get their CRL through that mechanism? NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies.
