cancel
Showing results for 
Search instead for 
Did you mean: 

Host checker running slow due to certificate revocation

Highlighted
New Contributor

Host checker running slow due to certificate revocation

We have an issue where host checker is taking a long time to run and it is because our machines do not have internet access and cannot check the CRL lists. We have disabled the checking in internet explorer of which we are using a mix of IE7 and IE8, but still it continues to try and check the CRL lists. Is it possile that host checker or any other juniper apps are trying to go out and check for CRLs?

 

I have tried to use process explorer to find which process is trying to talk to them, but the source ports never seem to show up.

 

Thanks,

Mark

7 REPLIES 7
Highlighted
Valued Contributor

Re: Host checker running slow due to certificate revocation

Host Checker will only do certificate checking if you specifically enable it as part of the client certificate definition.

Highlighted
New Contributor

Re: Host checker running slow due to certificate revocation

What do you mean by client certificate definition, is this an option within the certificate or on the SA its self?

Highlighted
Valued Contributor

Re: Host checker running slow due to certificate revocation

What I meant was that with Host Check you specify the cert to check for. That cert is defined under:

 

System / Configuration / Certificates / Trusted Client CAs

 

The only terms certs will be checked for "status" - IE revoked or not, is if within the cert definition you have specifed to use OSCP / CRL for cert checking.

 

Hope clarifies my explaination.

Highlighted
New Contributor

Re: Host checker running slow due to certificate revocation

ah ok, that makes sense. We do not have any of this selected and it is definately turned off in IE. I have checked the registry and its definately off, but there is still something that is checking and they can be stuck doing the host check for about 8 minutes while it keeps on trying to check CRLs.

Highlighted
Respected Contributor

Re: Host checker running slow due to certificate revocation

Which ESAP are you using? Are you still seeing this?
I am aware of this happening in one other instance & it was specific to 2(?) ESAP versions
Highlighted
New Contributor

Re: Host checker running slow due to certificate revocation

It happens on all ESAP's. We update the ESAP every month. We use Netscreen and SSG firewalls and we cannot specify wildcard domain names, so we are having to use a proxy server to allow the traffic out.

Highlighted
Respected Contributor

Re: Host checker running slow due to certificate revocation

that is odd; there is only two or three versions that we know in which this happens. what versions are you seeing this happen?