Active Directory 2008: CRL (Certificate Revocation List) Facts…

Certificate revocation is the process of breaking the bond of a public key pair to a specific individual. Revocation occurs when the end entity falls out of the scope of trust of the PKI system. Situations in which a digital certificate would be revoked are:

  • The subject (either a person or the computer)   identity changes, such as changing from a   maiden name to a married name.
  • An organization sells a division or changes   its name.
  • The subject of the certificate leaves the   company or is no longer trusted for some   reason.
  • A compromise, such as a private key is discovered   by a hacker or a laptop with a PKI-enabled   application is lost or stolen.

Be aware of the following facts about certificate revocation.

  • In the Certification Authority console, when   you revoke a certificate, it is moved to   the Revoked Certificates folder.
    • You must indicate a reason when you revoke     the certificate.
    • Certificates that have been revoked with     Certificate Hold as the reason can be     unrevoked     (reinstated). You cannot unrevoke certificates     that have been revoked for any other     reason.
    • The CA uses certificates in this folder to     build the certificate revocation list     (CRL).
  • Revoked certificates are published in a list   called the Certificate Revocation List (CRL).   The CRL contains a list of all certificates   issued by the CA that have been revoked.
  • The CRL is published to a location known   as the CRL Distribution Point (CDP). Four   areas where the CRL is usually published   are:
    • On the issuing CA (by default in the C:\Windows\system32\Certsrv\CertEnroll     directory)
    • On an Internet or intranet Web site (by default     in the http://servername/CertEnroll virtual     directory)
    • To a file
    • In a directory service such as Active Directory
  • CDP locations are configured in the properties   of a CA on the Extensions tab by editing   the CRL Distribution Point (CDP) extension   list. You can add or remove distribution   points in the list.
  • The CA periodically publishes the CRL to   include newly-revoked certificates. You can   also manually publish the CRL to update it   immediately.
  • Windows Server 2008 allows you to publish   delta CRLs.
    • Delta CRLs list only changes made to the     CRL since the CRL was published. This allows     you to publish changes frequently without     having to publish the entire CRL. For example,     you could configure the CA to publish the     full CRL weekly while it publishes a delta     CRL daily.
    • Windows client systems older than XP cannot     use delta CRLs.
  • When the CA issues a certificate, the CRL   distribution points are included in the certificate.
  • When a client computer is presented with   a new certificate, it checks the CRL to   see   if the certificate is still valid.
    • The client uses the CDP information in the     certificate to locate the CRL.
    • The client downloads the entire CRL and any     delta CRLs.
    • Each CRL and delta CRL includes a property     that identifies how long it is valid.     This     period is based on the publishing interval     configured on the CA.
    • When a client needs to check the validity     of a certificate, it first checks its     cached     copy of the CRL or delta CRLs.
      • If the CRL is still valid, that information       is used to validate the certificate.
      • If the CRL is not valid, a new CRL or new       delta CRL is downloaded.
    • When a client needs to download a CRL, it     tries the first location in the CDP list.     If it cannot get a CRL from the location,     it tries the next location, until a CRL is     found or all locations are checked.
    • If the client cannot get a CRL from any location,     it returns a Revocation offline message.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s