Create and publish a certificate revocation list

Author Uwe GradeneggerPosted on Categories Certification AuthorityTags , ,

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

After a certificate has been revoked, a new revocation list must be created and published so that entities that check the revocation status are informed of the revocation. Since the revocation list has a relatively short expiration date, it must be reissued at regular intervals even if the content is not changed.

Required permissions

To create a revocation list, the executing user needs the "Manage CA" right on the certification authority on which the revocation list is to be issued.

Creating a blacklist via the command line

The creation of a blacklist can be done with the following command line command with elevated privileges ("Run as administrator"):

certutil -crl

You will be informed via the command line whether the command was successful.

Creating a blacklist via the graphical user interface

In the certificate authority management console (certsrv.msc), click on "Revoked Certificates" on the right and select "All Tasks" - "Publish".

In the following dialog you can choose whether you want to issue a basic revocation list or (if activated) a delta revocation list.

You do not get a direct feedback whether the command was successful. If there is no error message, the brevocation list has been issued.

Publish the blacklist

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Depending on the configuration of the certification authority, it may now still be necessary to publish the certificate revocation lists on the CRL distribution points (CDP).

Optional: Perform emergency signing of certificate revocation lists

The most important component of a PKI in terms of availability is not the certification authority, as is often assumed, but the revocation list distribution points. If a certification authority is unavailable, initially no new certificates can be issued, but the certificates already issued can continue to be used without hindrance as long as their revocation status can be verified. In addition to the pure availability of the revocation list distribution points, the revocation information must of course also be valid in terms of its signature. Revocation lists have a defined expiration date after which they can no longer be used. If a certification authority has now failed, it can also no longer publish new revocation lists. The process of emergency signing of revocation lists is provided for this case.

The procedure for performing an emergency signing of a blacklist is described in the article "Perform emergency signing of certificate revocation lists " described.

Related links:

en_USEnglish
de_DEDeutsch en_USEnglish