1

All,

Does anyone have a best a view on best practice for CRL usage on Azure?

Background: Azure hosted service that uses Client certificates for authentication. We have a CA (that we own, manage and trust) and issue a chained certificate to a client for signing their WCF/WS requests to us.

Our CA will not be available at the networks level (it is deep within our trusted space on one of our domain networks) so I am guessing 'online' CRL checking is not an option.

I have checked that 'NoCheck'-with-cert-deployed-in-untrusted-certs store works fine because - if I understand it correctly - this means that the CRL stuff is ignored ...?

Regards,

Aidanapword

Aidanapword
  • 288
  • 1
  • 13

1 Answers1

0

If you own the whole cert. chain, then you can just not include CRL location into CA certificate. So no CRL checks will be performed.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • Thanks for this. I can set the WCF channel to 'NoCheck' on the CRL handling and, indeed, no CRL checks are performed. That works fine, but I *do* want to use CRL. The things is Azure is running outside of my network space so online CRL checks are not going to be an option (I think), and I must make sure that whatever form of revocation record I place must be maintained by Azure (remembering that Azure can replace the machine (incl. cert store(s)) beneath my WebRole at will). – Aidanapword Jan 24 '11 at 16:17