About the Install Readiness Check for Certificate Revocation List access
search cancel

About the Install Readiness Check for Certificate Revocation List access

book

Article ID: 181788

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

What is the Install Readiness Check for Certificate Revocation List access?

Environment

ITMS 7.x, 8.x

Resolution

 

What the Install Readiness Check for Certificate Revocation List access does

The Install Readiness Check is a set of checks that are run from the Symantec Installation Manager (SIM) as part of the Symantec Management Platform installation and upgrade process. One of these is a check for Microsoft Certificate Revocation List (CRL) access. The CRL access check determines whether the target computer has the required internet access and, if necessary, recommends that you disable CRL lookups for all .NET applications on the computer. You can do this automatically by accepting the "Fix" prompt displayed in SIM, or manually by editing the appropriate configuration file on the computer.

Why the CRL access check is needed

If the Symantec Management Platform computer does not have internet access, the .NET runtime cannot access the Microsoft Certificate Revocation List servers to verify the Authenticode assembly.

Although none of the applications that comprise the Symantec Management Platform make use of Authenticode assembly signing evidence, the standard Microsoft assemblies that are included with the .NET framework are all Authenticode signed. When the computer has no internet connection, .NET will try for up to 15 seconds to access the CRL before timing out as a failure.

This delay can lead to Windows services failing during startup, as some services take a long time to start and may time out. It can also cause Symantec Management Console pages to take a very long time to load.

To resolve this problem, we recommend that you disable CRL lookups if the Symantec Management Platform computer is offline, or is likely to be offline for an extended period of time.

How the CRL access check works

The CRL access check first determines whether the Symantec Management Platform computer is connected to the internet, and then tries to access the Microsoft Certificate Revocation List server at the following URL: crl.microsoft.com. If the CRL server is accessible from the computer, the CRL access check passes and no further action is required.

If the CRL server cannot be accessed (either because the computer has no internet connection, or the CRL server address could not be resolved) the CRL access check then examines the machine.config file on the computer.

The check searches for the following XML element in the machine.config file:

<configuration>
    <runtime>
        <generatePublisherEvidence enabled="false"/>
    </runtime>
</configuration>

The machine.config file is located at %runtime install path%\Config\machine.config, where the runtime install path is usually C:\Windows\Microsoft.NET\Framework\v2.0.50727\.

If this XML element is present in the machine.config file, the CRL access check passes (as fixed) and no further action is required.

If this XML element is not present, the CRL access check fails, and a warning is displayed in the SIM interface. You have the option to fix the computer before continuing with the installation or upgrade of the Symantec Management Platform.

You can do this automatically by clicking the "Fix" link in the SIM interface. This writes the <generatePublisherEvidence enabled="false"/> XML element into the appropriate location in the machine.config file.

Reversing the fix applied by the CRL access check

If the computer was offline when the CRL access check was performed, but is later given internet access, you may need to undo this fix manually. The Symantec Management Platform does not detect when access to the CRL server is restored, so will not make any changes automatically. You only need to reverse the change to the machine.config file if applications or .NET security policies that require publisher evidence are installed on the computer. This is not common.

To undo this fix manually, you need to open the machine.config file in a text editor and delete the following XML element: "<generatePublisherEvidence enabled="false"/>". Ensure that you delete only this line. Do not delete any other XML elements (such as the surrounding <configuration> and <runtime> elements), as they could be required for other customized options specified in the file.

For more information on disabling or re-enabling CRL lookups, refer to the following KB article: Resolving the Certificate Revocation List (CRL) lookup performance issue.