A buddy of mine (Daniel Mauser) from PFE (Premier Field Engineer) read my previous post about SSTP and sent me a note about his thoughts on the PKI side of the house (since is his specialty). The notes about the troubleshooting and planning phase from my previous post are:
· For troubleshooting purpose we can disable the CRL Check on the client side (not recommended in the production, as he said: only for troubleshooting purpose). To do that follow http://technet.microsoft.com/en-us/library/dd458982.aspx
· The certificate that I created had URLs for LDAP and HTTP for the CRL. Since the client workstation review those links in that order (top down), the LDAP will be checked first, since it can’t access the LDAP path it will try the HTTP path. This can cause performance issue on the client side. Make sure to change the search order in the CA prior to issue the certificate, this way the CA will issue certificates using the HTTP first.
Thanks Daniel for those tips.