Retrieving a certificate revocation list and verifying certificates

At specific times (when the UNIX system joins a domain, the administrator issues the adgpupdate command, or the group policy refresh interval occurs), the Centrify Agent performs certain tasks, including determining whether to retrieve a CRL (Certificate Revocation List). Specifically, the agent does the following:

  • Identifies the CA that issued certificates for the system.
  • Looks at the refresh interval in the current CRL to determine whether to retrieve a new CRL.
  • If the interval has expired, retrieves a new CRL by using the IIS Web Server for the CA.
  • Verifies the currently issued certificates against the CRL and requests new certificates for certificates that have been revoked.

Note:   When you manually revoke a certificate, it is possible that the certificate will appear as valid even after running the adgpupdate command to trigger an IPsec update. When you revoke a certificate, the Centrify Agent first looks at the current CRL to determine the validity of the certificates that have been issued. In this case, the newly revoked certificate still appears as valid. Immediately afterwards, because of the IPsec update, the agent requests a new CRL. The new CRL shows that the certificate in question is invalid, but the agent will not look at the new CRL until the next scheduled update, or until you run the adgpupdate command again. Therefore, to be certain to have current information, if you manually revoke certificates, you can issue the adgpupdate command twice in sequence.