The certificate revocation list (CRL) is an optional component of a public key infrastructure (PKI) deployment. It is a file that is created and signed by a certification authority and contains a list of certificates that it has issued but revoked. Certificates can be revoked by a certification authority administrator, for example, if an issued certificate is known or suspected to be compromised.
When a CRL is used with a PKI deployment, applications can check the revocation status of the certificates they are using and of the certificates that chain to the trusted root certification. This check is made by ensuring all certificates in the chain are not listed on the CRL. If any of these certificates are listed on the CRL, the certificate used by the application is considered invalid, even though it comes from a trusted source and is within its validity period.
If certificate revocation checking is enabled for Configuration Manager 2007 native mode clients, they will check the CRL whenever they communicate with one of the following site systems configured for native mode:
- Management points
- Distribution points that are not using a site
system share, or configured as branch distribution points
- Software update points
- State migration points
 Important |
|---|
| Client functions that run as a result of task sequence actions always check the CRL when the client is running versions prior to Configuration Manager 2007 SP2. |
If clients are using certificate revocation checking but they fail to locate the CRL, they behave as if all certificates in the certification chain are revoked because their absence from the list cannot be verified. In this scenario, all connections that require certificates and use a CRL will fail, and the Configuration Manager 2007 client will send an error message to its fallback status point.
Checking the CRL each time a certificate is used offers more security against using a certificate that has been revoked, but it introduces a connection delay and additional processing on the client. You are more likely to require this additional security check for Internet-based client management than for native mode sites that are contained within the intranet.
The default setting for CRL checking in a Configuration Manager site depends on whether the site was installed in native mode or was installed in mixed mode and then migrated to native mode. CRL checking for clients is enabled by default when the Configuration Manager site is installed in native mode and is disabled by default when the Configuration Manager site is installed in mixed mode and then migrated to native mode.
Consult your PKI administrators before deciding whether to enable certificate revocation checking on clients, and then consider enabling this option in Configuration Manager 2007 if both of the following conditions apply:
- Your PKI infrastructure supports a CRL, and
it is published where all Configuration Manager 2007 clients can
locate it (including clients on the Internet if you are using
Internet-based client management).
- The requirement to check the CRL for each
connection to a site system configured with a certificate is
greater than the requirement for faster connections and efficient
processing on the client, and is also greater than the risk of
clients failing to connect to servers if they cannot locate the
CRL.
 Note |
|---|
| For more information about certificate revocation, see the section on managing certificate revocation in the Windows Server 2003 product help (http://go.microsoft.com/fwlink/?LinkId=78786). |
Certificate revocation checking is enabled by default in IIS, so if you are using a CRL with your PKI deployment, there is nothing additional to configure on the Configuration Manager site systems.
Native mode mobile device clients do not use certificate revocation lists, although their certificates can be revoked and checked by native mode site systems.