CRL Check for non-domain bound clients

This blog will show you how you should configure your Certificate Authority to for non-domain bound client. Clients will do a check to see if the certificate is revoked, if the clients are not able to do this check they will scream that the certificate might be insecure.

A little background

With new environments that we build for customers come new deployments of the endpoints. 98% of all environments we see when we arrive are FAT client based. Every user has a Domain joined computers on the desk and work from there. 
The new workspace often is a central based virtualized workspace, nothing new there 🙂
The next question in a project is always what to do with the endpoints, leave them domain joined or put them in a workgroup (looking at Windows only for a moment now).
I you leave them domain joined you’re done, don’t need to read this blog, you CRL check works. By default the LDAP extension is enabled on the Certificate Authority so for Domain joined there is no worry.
If however you don’t want them to be Domain joined you might have to take a quick look at your CA.

The issue

Issue is a big word, it’s more of something to keep in mind when setting up an environment with non-Domain joined clients. The new environment is securely built, so every client to workspace connection is over HTTPS and there is our little bastard. The revocation check within a domain is simple, all computers “trust” each other and through a LDAP query the client easily can verify the validity of the certificate.
Non-Domain joined clients can’t use the default LDAP CRL check to verify if the certificate you’re offering has been revoked. 
If you browse to your web site, e.g. https://desktop.domain.local and you check out the certificate you will notice that under CRL-Distribution points only LDAP is listed.

Set up HTTP extensions

If you take a look at your Certificate Authority you see under the tab Extensions that only LDAP is configured. If you click on http you see that the “Include in CRLs” and “Include in the CDP” is not marked.

So let’s mark it and restart the service. You will get that message prompted when you click APPLY. Restart the service and redeploy the certificates on the web server.
In this project we used Citrix StoreFront servers and so I replaced both certificates on servers through the IIS server certificate process.

After we changed the setting and redeployed the certificate you will see a difference in the certificate. When you check out the same certificate, now you see that also LDAP is added making it possible for non-domain joined machines to do a revocation check.

It’s a small step to take but helpful in some environments. hope it helps.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.