Certificate revocation list (CRL) - Page 2

Revoking an issued certificate

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

When a certificate is revoked, its serial number is placed on the revocation list. Entities that check the revocation of a certificate then consider it to be no longer valid.

If a certification authority certificate has been revoked, a revocation list is no longer issued for the certification authority certificate

Assume the following scenario:

A certification authority has multiple certification authority certificates.
More than one certificate authority certificate uses the same private key because, for example, the certificate authority certificate was renewed with the same key pair.
If one of these certification authority certificates is revoked, the certification authority will also no longer issue revocation lists for the other certification authority certificates that use the same key.

What impact does the expiry of the revocation list of one of the higher-level Certification Authorities have on the Certification Authority?

Unfortunately, in practice it happens from time to time that the revocation list of a higher-level certification authority expires and a renewal does not take place. This can also happen as planned, for example when an old hierarchy is decommissioned.

View and clear the revocation list address cache (CRL URL Cache).

All applications that use the Microsoft Cryptographic Application Programming Interface Version 2 (Crypto API Version 2, CAPI2) have a mechanism for caching certificate revocation information (Certificate revocation lists and OCSP-answers).

Thus, there is no guarantee that, for example, a newly published blacklist will be used by participants before the previous blacklist, which is still in the cache, has expired.

The following describes how to view and influence the blacklist cache.

What impact does incorrect revocation information of a certification authority certificate have on the certification authority?

The following describes the effects on certification authority operation if the revocation information for one of the certification authority's certificates cannot be retrieved.

This case may also occur as planned, for example, when a previous certification authority hierarchy is to be decommissioned.

The certification authority service does not start and throws the error message "The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)".

Assume the following scenario:

A certification authority is implemented in the network.
The certification authority service does not start.
When trying to start the Certification Authority service, you get the following error message:

The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)

The certification authority service does not start and throws the error message "The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)".

Assume the following scenario:

A certification authority is implemented in the network.
The certification authority service does not start.
When trying to start the Certification Authority service, you get the following error message:

The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)

Public Key Infrastructures (PKI) basics

A public key infrastructure comprises all components (hardware, software, people and processes) required for the use of digital certificates. A PKI consists of one or more certification authorities (CA). The tasks of a PKI include:

Ensuring the authenticity of keys, i.e. establishing a traceable link between a key and its origin to prevent misuse.
Revocation of certificates, i.e., ensuring that decommissioned or compromised (e.g., stolen) keys can no longer be used.
Guarantee of liability (non-repudiation), i.e., the owner of a key cannot deny that it belongs to him.
Enforcement of policies, i.e. standardized procedures for the use of certificates.

When installing a new certificate authority certificate, you get the error message "The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)".

Assume the following scenario:

One installs a new certification authority certificate on the certification authority, either because the certification authority was newly installed, or because the certification authority certificate was renewed.
During the installation you get the following error message:

Cannot verify certificate chain. Do you wish to ignore the error and continue? The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)

Publishing a certificate revocation list (CRL) fails with the error message "Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)".

Assume the following scenario:

An attempt is made to publish a new certificate revocation list (CRL) on a certification authority
The certificate authority is configured to publish the certificate revocation lists to Active Directory (LDAP CDP).
Publishing the certificate revocation list fails with the following error message:

Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)

Publishing a certificate revocation list (CRL) fails with the error message "Directory object not found. 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)".

Assume the following scenario:

An attempt is made to publish a new certificate revocation list (CRL) on a certification authority.
The certificate authority is configured to publish the certificate revocation lists to Active Directory (LDAP CDP).
Publishing the certificate revocation list fails with the following error message:

Directory object not found. 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)

Publishing a certificate revocation list (CRL) fails with error message "Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)".

Assume the following scenario:

A new revocation list is created on the certification authority.
The certification authority is configured to publish revocation lists to a network path.
Publishing fails with the following error message:

Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

Publishing a certificate revocation list (CRL) fails with error message "The directory name is invalid. 0x8007010b (WIN32/HTTP: 267 ERROR_DIRECTORY)".

Assume the following scenario:

A new revocation list is created on the certification authority.
Publishing fails with the following error message:

The directory name is invalid. 0x8007010b (WIN32/HTTP: 267 ERROR_DIRECTORY)

Manual publishing of a certificate revocation list (CRL) to Active Directory fails with error 0x8007202b (WIN32: 8235 ERROR_DS_REFERRAL)

Assume the following scenario:

An offline root certificate authority has been installed. The server on which the certificate authority is installed is not a domain member.
This is configured for Active Directory blacklist publications.
The blacklists are uploaded to the Active Directory using certutil -dspublish.
The operation fails with the following error message:

certutil -dspublish "ADCS Labor Root CA.crl"
 ldap:///CN=ADCS Lab Root CA,CN=ADCS Lab Root CA,CN=cdp,CN=Public Key Services,CN=Services,DC=UnavailableConfigDN?certificateRevocationList?base?objectClass=cRLDistributionPoint?certificateRevocationList
 ldap: 0xa: LDAP_REFERRAL: 0000202B: RefErr: DSID-03100835, data 0, 1 access points
         ref 1: 'unavailableconfigdn'
 CertUtil: -dsPublish command FAILED: 0x8007202b (WIN32: 8235 ERROR_DS_REFERRAL)
 CertUtil: A referral was returned from the server.