SSL Certificate Revocation lists when using Internal CA
Recently, we were making some changes to eliminate some of the pop ups when using Remote Desktop Web Access. Certificates on an RDP deployment have to be on point, the article over at http://www.rdsgurus.com/ssl-certificates/windows-2012-r2-how-to-create-a-mostly-seamless-logon-experience-for-your-remote-desktop-services-environment/ is an awesome resource on the topic.
Well when using an Internal CA (certificate authority) for certificate signing, one thing that can be easily overlooked is the CRL Distribution Point (CDP). The Certificate Revocation List is essentially a text file of certificates that the issuing CA has revoked. Certificate revocation allows for the quick repeal of an otherwise valid certificate. If you take a look at the extensions in any SSL certificate, you’ll see an entry for the CDP (the method in how this list is distributed).
When using an Internal CA, by default it will use an ldap path for the CDP. And it will work just fine for domain joined computers. However, non domain joined computer can’t navigate to the ldap path (lack of computer credentials) and the checking for the revocation list prompts an error. If using RDP, you’ll get the familiar yellow error pop up stating as such. Accepting the error will allow the connection to be made.
The fix is to configure the CDP to point to an http:// site (its supposed to use Http, not https). Using an https:// site will create a “chicken and egg” issue, how can you check the revocation status of a site that it itself might be on that list hosted by that very site. In other words, just use http, its supposed to be reachable.
http://www.esebenza.com/certificate-services/microsoft-pki-certificate-revocation-distribution-point-a-working-example/ is another great resource that walks you through these steps. Configure the http CDP and then you’ll have to reissue the certificate in question. Reapply to whatever resources and now non domain joined won’t get prompted for that revocation error!