Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
win 2008 R2 IE doesn't detect that i have revoked my web site's https certificate !

Odpovědět win 2008 R2 IE doesn't detect that i have revoked my web site's https certificate !

  • Sunday, February 03, 2013 7:38 AM
     
     
    Sign In to Vote
    0

    hi All

    in my test hyper-v lab, i have deployed 3 virtual machines , one 2008R2 SP1 Domain controller , one enterprise CA or standalone CA and one joined win 2008 R2 sp1 Client.

    after i obtained a certificate from my CA srv and bind it in my website ( for https ) , then  in CA server certificate console , i revoked that certificate , then i select publish in revoked certificates node. also i performed gpupdate /force in All my 3 VMs, also in my Client's IE , in internet options Advanced tab , i selected check for server certificate Revocation and then i restarted IE , but again IE connects to that https website without any warning that this certificate has been revoked and doesn't have validity.

    what can i do so that IE doesn't connect to https website that their https certificate has been revoked ?

    thanks a lot


    • Edited by john.s2011 Sunday, February 03, 2013 7:38 AM
    •  
     

All Replies

  • Sunday, February 03, 2013 7:45 AM
     
     Answered
    Sign In to Vote
    0

    You have to wait for the previous CRLs to expire. CRLs have a defined lifetime and a client will cache the CRL for its validity period. Your action of revoking the certificate and publishing an updated CRL will not be recognized by any client that has a time valid cached CRL.

    What you have to do is wait for the previous CRL to reach its validity period, then the clients will download an updated base or delta CRL (depending on which has reached expiration).

    For more details on how revocation checking works, you can look at this whitepaper I co-authored with Yogesh Mehta

    http://technet.microsoft.com/en-us/library/ee619730(WS.10).aspx

    Also, there are methods to clear the cache, but that is not reality. In reality, your clients would have to wait for the expiration, so I am not going to discuss this. (If you actually look at the referenced whitepaper, the procedures are in there)

    Brian

    • Marked As Answer by john.s2011 Sunday, February 03, 2013 7:53 AM
    •  
     
  • Sunday, February 03, 2013 7:53 AM
     
     
    Sign In to Vote
    0

    You have to wait for the previous CRLs to expire. CRLs have a defined lifetime and a client will cache the CRL for its validity period. Your action of revoking the certificate and publishing an updated CRL will not be recognized by any client that has a time valid cached CRL.

    What you have to do is wait for the previous CRL to reach its validity period, then the clients will download an updated base or delta CRL (depending on which has reached expiration).

    For more details on how revocation checking works, you can look at this whitepaper I co-authored with Yogesh Mehta

    http://technet.microsoft.com/en-us/library/ee619730(WS.10).aspx

    Also, there are methods to clear the cache, but that is not reality. In reality, your clients would have to wait for the expiration, so I am not going to discuss this. (If you actually look at the referenced whitepaper, the procedures are in there)

    Brian


    hi Brian.  great document.  thanks alot