none
Frequency of SSL Cert Lookups

    问题

  • Hey guys,

    I have a few questions about how Windows 7 handles checking the internet for new certs and CRL's. We are looking to run Windows 7 Embedded in an offline configuration that still relies on creating a secure SSL negotiation with an in-house web application. We're exploring options such as opening the our network's firewall to allow outbound access to GoDaddy\Microsoft CRL's and Microsoft's cert repository that it can get new Trusted Root certs from

    1. When and how often does Windows check for new root certificates?

    2. When and how often does Windows check the CRL's for cert revocations?

    3. What websites does Windows look at for Microsoft's CRL and cert repository?

    Thanks!

    2018年6月25日 20:37

全部回复

  • When the client is validating a certificate it is common to access this CRL to perform this validation.

    A revocation check is triggered by an application. This is how Certificate Revocation works:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee619754(v=ws.10)

    CRL checking is a secure mechanism that helps validate the validity of a certificate. 

    When starting a .NET application, the .NET Framework will attempt to download the CRL for any signed assembly. If the system that you are running does not Internet access, or is restricted from accessing the Microsoft.com domain, you might face a delay starting up or running some applications. All managed code goes through a certificate check against crl.microsoft.com by .net runtime before startup as stated in this article Jump 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2018年6月26日 8:02
  • If you have any problems, please feel free to let me know.

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2018年6月27日 10:03
  • Thank you for the quick response, Vivian. That answers my questions about checking the CRL's but when and how often does Windows OS check for new Trusted Root certificates?
    2018年7月2日 16:50
  • I noticed that you said you are in an offline statue, which means there is no Internet available, right?

    If so, although windows will check for new root certificate, but they will not be updated until you access Internet,

    As to how often and when windows check for new root certificate, there is no such document introduce it, and it is difficult to monitor. However, in certlm.msc , double click a root certificate, under details tab , there is a field called Thumbpoint. It is a SID of the certificate, i am not sure if the value will change after certificate updates.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2018年7月3日 8:49
  • Thank you for the information, it's been a big help.

    We do run in an offline state but we would like to be able to open access to only the necessary websites in order for the PC to get new root certificate updates. We haven't been able to figure out what sites those are. We need the GoDaddy Trusted Root certs updated and we've tried opening to these sites to A) check the CRL's and B) update the root certs when needed but have had no luck:

    crl.microsoft.com

    ocsp.microsoft.com

    certificates.godaddy.com

    certificates.starfieldtech.com
    crl.godaddy.comc
    rl.starfieldtech.com
    ocsp.godaddy.com
    ocsp.starfieldtech.com
    certs.godaddy.com

    If you know of any other sites that we should be using, it would be a great help to us.

    Also, our application is, in fact, a .net application. Even with open access to the internet, there are some issues with being able to validate our server's GoDaddy certificate. We run Windows Embedded with write protection on the C: drive so if the new Trusted Root certs are installed, things work fine but sometimes after the machines are rebooted and the C: drive reverts to its previous state with only the old SHA 1 certificates on it (Windows Updates have never been run on these machines so they're missing the SHA 256 cert) it will fail to get the new cert and validation doesn't occur.

    We think this is because sometimes the .net app will load and attempt the SSL verification before the new certs are downloaded and we then have to reboot the machines several times before the cert gets installed and then the process works. 

    We are working on implementing a regular Windows Update schedule for these machines so this problem will be resolved at that point but, in the mean time, we're just trying to get a better understanding of how this process works.

    Sorry for the long post, you just seem to be the person who can answer these questions for us

    Thank you!



    2018年7月5日 16:14
  • Hi,

    Sorry for the late response.

    1. As I don't know much about the third-party software GoDaddy, you'd better ask their support if you need to open specific ports to get certificate installed. However, if you can't auto download these root certificates, try to manually download it from manufacture's website on server, then use gpo to deploy.

    2.If you consider it is a verification issue, you can check the logs in Event Log both on server and client.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    2018年7月11日 8:43