Anmelden
 
HomeLibraryDownloadsSupportWebcasts & EventsCommunityForenBlogs
Ressourcen für IT-Professionals >
Why EXE file still can run even when its certificate is revoked?

Beantwortet Why EXE file still can run even when its certificate is revoked?

  • Donnerstag, 22. November 2012 05:01
     
     
    Anmelden
    0

    Our company has a code sign certificate which is created by Verisign, we use it in a EXE file. But now this certificate is revoked from Verisign and I assume that the EXE file cannot be run on the client machine (Win7) now. Unfortunately, I still can run the EXE file which is signed by the revoked certificate. I've tried many ways, e.g.: certutil -urlcache * delete, but it's still not working. On the other hand, when i review the certificate in the EXE file, the "revocation status" of this certificate is still shown as "OK". However, this certificate is really shown as revoked in certutil tool. What should i do now to prevent client machine open the EXE file which contains revoked certificate?

    Thanks,

    Michael

     

Alle Antworten

  • Donnerstag, 22. November 2012 09:35
     
     Beantwortet
    Anmelden
    0

    Revocation will not affect the binary status if the binary was signed before the revocation!

    You can always configure the specific certificate as an untrusted for all operations regardless revocation status using local och domain policies http://technet.microsoft.com/en-us/library/cc772491.aspx

    /Hasain

     
  • Donnerstag, 22. November 2012 13:30
     
     Beantwortet
    Anmelden
    0

    It looks like your PKI issues two week base CRLs (and no delta CRLs)

    Your client validating the exe has a cached CRL and the next update is on December 5th.

    I am not sure what client OS you are using (will determine if you can clear the cache or not)

    If you are on windows Vista or Windows 7/8 run certutil -setreg chain\ChainCacheResyncFiletime @now

    If you are on Windows XP, try testing again after December 5th

    On another note, it seems that you want more immediate revocation validation, you need to review your CRL and delta CRL publication intervals. They do not appear to follow your intended policy (more immediate recognition of a revocation). Remember that OCSP responses will cache for the amount of time left in the CRLs that were used to form the OCSP response (14 days in your case)

    Brian

     
  • Mittwoch, 28. November 2012 06:33
     
     
    Anmelden
    0

    Hi,

    Thanks for your kindly answer. We met the issue not only for binary. In our software, we use "WinVerifyTrust" to check some DLL files, those DLL files are signed with a certificate which is recently revoked on Verisign, but always we cannot get "CERT_E_REVOKED" result. The certificate is always shown as valid. In our customer's environment, they can detect the revoked certificate correctly, so I am wondering how to reproduce this issue to detect revoke status.

    Thanks, 

    Michael

     
  • Mittwoch, 28. November 2012 06:34
     
     
    Anmelden
    0

    HI Komar,

    Thanks for your kindly answer. We met the issue not only for binary. In our software, we use "WinVerifyTrust" function to check some DLL files, those DLL files are signed with a certificate which is recently revoked on Verisign, but always we cannot get "CERT_E_REVOKED" result. The certificate is always shown as valid. In our customer's environment, they can detect the revoked certificate correctly, so I am wondering how to reproduce this issue to detect revoke status.

    I tried what you suggested but not working on Win7 32bit.

    Thanks, 

    Michael