A CRL is simply a list of serial numbers in a simple text file basically and is 
no way a problem to expose to the Internet. This can be on *any* Internet 
accessible web server.

OCSP is still something exposed to the Internet – it’s a proxy of sorts for 
accessing revoked cert info. The main reason for OCSP is so you don’t have to 
hard-code specific URLs for the CDPs into the certificates.

No, domain join is not enough for Internet client. How is a client on Internet 
going to access your AD? If it could do that, you’ve either got bigger security 
issues and/or no reason to use IBCM/CMG in the first place.

You can always simply disable client CRL checking in ConfigMgr. This is 
actually what most folks do. From a strict security stand-point, this isn’t a 
recommended thing to do, but in this case, the certificates being used are a 
means to an end and aren’t being used to revoke access to the ConfigMgr 
infrastructure (which is truly the only thing you lose by disabling CRL 
checking).

J

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of James Massardo
Sent: Friday, January 13, 2017 7:48 AM
To: mssms@lists.myitforum.com
Subject: [mssms] RE: PKI Question for Cloud Management Gateway and Azure 
Distribution Point

OCSP would be a better option than exposing the CRL to the outside.

https://technet.microsoft.com/en-us/library/cc770413(v=ws.10).aspx

Thanks,
James Massardo

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kevin Kaminski
Sent: Thursday, January 12, 2017 1:51 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] PKI Question for Cloud Management Gateway and Azure 
Distribution Point

The e-mail below is from an external source.  Please do not open attachments or 
click links from an unknown or suspicious origin.
I have a customer that is reluctant to change their PKI infrastructure to have 
an Internet exposed CRL. If I want to use their enterprise CA wouldn’t this be 
a requirement or would joining them to the domain be good enough so they can 
get their CRL through that mechanism?


NOTICE: This electronic mail message and any files transmitted with it are 
intended
exclusively for the individual or entity to which it is addressed. The message,
together with any attachment, may contain confidential and/or privileged 
information.
Any unauthorized review, use, printing, saving, copying, disclosure or 
distribution
is strictly prohibited. If you have received this message in error, please
immediately advise the sender by reply email and delete all copies.


Reply via email to