locked
Revoked certificate showing valid RRS feed

  • Question

  • I have a SSL certificate that has been revoked and for most of the clients they do see that it has been revoked. However, for quite a few machines (both inside and outside the domain) the certificate is still showing good and they are still able to access the website and I did verify that revocation checking is enabled in IE.

    From a machine that still shows a good cert:

    • certutil –verify –urlfetch shows that the cert is good.
    • I’ve cleared the CRL cache.
    • I downloaded the CRL manually (using the CDP links from the certificate itself) and can see that my cert is listed there.

    Obviously there is something else going on that I’m missing but I’m running out of places to look so if you experts have any ideas, a point in the right direction would be appreciated!

    Saturday, May 12, 2012 5:54 PM

Answers

  • It is working as per RFC 5280. The clients that are seeing the certificate as valid have a time-valid CRL or OCSP response that does *not* show the certificate as valid. The certificate will only be recognized as revoked when those time-valid CRL or OCSP responses expire.

    Clearing the cache does not always work. It depends on the operating system and whether the CRL is in use by any applications.

    How did you attempt to clear the cache?

    If you used

    certutil -urlcache * delete  or certutil -urlcache crl delete or certutil -urlcache ocsp delete

    You still may have to restart the browser or even reboot the computer.

    The recommended way is to run

    certutil -setreg chain\ChainCacheResyncFiletime @now

    But, this command is not supported on XP, only Vista and higher.

    Bottom line is, when you revoke a certificate, you are not going to walk around to every machine and attempt to clear the cache. Instead, look at what your CRL publication intervals are and ensure that they match written policy. If you want to make sure that a certificate revocation is recognized by beginning of work/close of work, maybe go with a 24 hour base CRL published at 6AM and a 12 hour delta CRL published at 6PM

    Brian

    • Marked as answer by Brian_M TX Sunday, May 13, 2012 7:09 PM
    Sunday, May 13, 2012 12:09 PM

All replies

  • It is working as per RFC 5280. The clients that are seeing the certificate as valid have a time-valid CRL or OCSP response that does *not* show the certificate as valid. The certificate will only be recognized as revoked when those time-valid CRL or OCSP responses expire.

    Clearing the cache does not always work. It depends on the operating system and whether the CRL is in use by any applications.

    How did you attempt to clear the cache?

    If you used

    certutil -urlcache * delete  or certutil -urlcache crl delete or certutil -urlcache ocsp delete

    You still may have to restart the browser or even reboot the computer.

    The recommended way is to run

    certutil -setreg chain\ChainCacheResyncFiletime @now

    But, this command is not supported on XP, only Vista and higher.

    Bottom line is, when you revoke a certificate, you are not going to walk around to every machine and attempt to clear the cache. Instead, look at what your CRL publication intervals are and ensure that they match written policy. If you want to make sure that a certificate revocation is recognized by beginning of work/close of work, maybe go with a 24 hour base CRL published at 6AM and a 12 hour delta CRL published at 6PM

    Brian

    • Marked as answer by Brian_M TX Sunday, May 13, 2012 7:09 PM
    Sunday, May 13, 2012 12:09 PM
  • Brian, thank you for your response!

    I was using certutil –url * delete to remove the cache and did reboot the computer but it was still showing valid.

    I didn’t know about certutil-setreg chain\ChainCacheResyncFiletime @nowand after running that command the computers are now showing that the certificate has been revoked.

    This one was strange because I was downloading the CRL right on the computers that were showing a valid cert and the cert was listed in there.  This was a public cert issued by Network Solutions that they accidentally revoked but some of our machines (only Windows 7 machines) were still able to access the resources. I had no intention of clearing the cache on each machine just try to understand out why some were showing revoked while others were showing good.

    Thanks again for the help!!

    Sunday, May 13, 2012 7:10 PM