autoenrollment behavior for cert revocation on 2008

Giganews Newsgroups
Subject: autoenrollment behavior for cert revocation on 2008
Posted by:  Ondrej Sevecek (ondrej.sevecek@community.nospam)
Date: Wed, 27 May 2009

hello,

I have observed one weird change between autoenrollment in XP and 2008
regarding revoked certificates.

I have the policy to Update pending/Remove Revoked etc. certificates for
both XP and 2008 machines.

The XP behavior on a certificate based on a template is:
onXP: manually enroll certA (templateA)
onCA: revoke certA
onXP: delete URLCACHE
onXP: pulse autoenrollment
onXP: certA is automatically archived
onXP: automaticalal enrollment for new certB (templateA, the same as the
archived cert) is performed

While on 2008 the pulse has virtually no effect on the certificate in local
store. It seems like it just ignores revocation information published
because it not even downloads the CRLs (even when URLCACHED deleted, it
remains empty after the pulsing).

is that an expected behavior on 2008? Shouldn't it work the same way as in
XP?

thank you very much.

ondrej.

Replies