Certificate revocation list (CRL) - Page 2

Basics: Checking the revocation status of certificates

If a valid, unexpired certificate is to be withdrawn from circulation, it must be revoked. For this purpose, the certification authorities maintain corresponding revocation lists in which the digital fingerprints of the revoked certificates are listed. They must be queried during the validity check.

Perform functional test for a Certification Authority

After installing a certification authority, after migrating to a new server, or after more extensive maintenance work, an extensive functional test should be performed to ensure that all components of the certification authority are working as desired.

Publish a certificate revocation list (CRL) to an Active Directory revocation list distribution point (CDP).

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.

In some cases (for example, with an offline certificate authority, or if non-standard LDAP revocation list distribution points have been configured), the certificate revocation list must be manually published to Active Directory.

Create and publish a certificate revocation list

After a certificate has been revoked, a new revocation list must be created and published so that entities that check the revocation status are informed of the revocation. Since the revocation list has a relatively short expiration date, it must be reissued at regular intervals even if the content is not changed.

Revoking an issued certificate

When a certificate is revoked, its serial number is placed on the revocation list. Entities that check the revocation of a certificate then consider it to be no longer valid.

If a certification authority certificate has been revoked, a revocation list is no longer issued for the certification authority certificate

Assume the following scenario:

A certification authority has multiple certification authority certificates.
More than one certificate authority certificate uses the same private key because, for example, the certificate authority certificate was renewed with the same key pair.
If one of these certification authority certificates is revoked, the certification authority will also no longer issue revocation lists for the other certification authority certificates that use the same key.

What impact does the expiry of the revocation list of one of the higher-level Certification Authorities have on the Certification Authority?

Unfortunately, in practice it happens from time to time that the revocation list of a higher-level certification authority expires and a renewal does not take place. This can also happen as planned, for example when an old hierarchy is decommissioned.

View and clear the revocation list address cache (CRL URL Cache).

All applications that use the Microsoft Cryptographic Application Programming Interface Version 2 (Crypto API Version 2, CAPI2) have a mechanism for caching certificate revocation information (Certificate revocation lists and OCSP-answers).

Thus, there is no guarantee that, for example, a newly published blacklist will be used by participants before the previous blacklist, which is still in the cache, has expired.

The following describes how to view and influence the blacklist cache.

What impact does incorrect revocation information of a certification authority certificate have on the certification authority?

The following describes the effects on certification authority operation if the revocation information for one of the certification authority's certificates cannot be retrieved.

This case may also occur as planned, for example, when a previous certification authority hierarchy is to be decommissioned.

The certification authority service does not start and throws the error message "The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)".

Assume the following scenario:

A certification authority is implemented in the network.
The certification authority service does not start.
When trying to start the Certification Authority service, you get the following error message:

The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)

The certification authority service does not start and throws the error message "The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)".

Assume the following scenario:

A certification authority is implemented in the network.
The certification authority service does not start.
When trying to start the Certification Authority service, you get the following error message:

The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)

Public Key Infrastructures (PKI) basics

A public key infrastructure comprises all components (hardware, software, people and processes) required for the use of digital certificates. A PKI consists of one or more certification authorities (CA). The tasks of a PKI include:

Ensuring the authenticity of keys, i.e. establishing a traceable link between a key and its origin to prevent misuse.
Revocation of certificates, i.e., ensuring that decommissioned or compromised (e.g., stolen) keys can no longer be used.
Guarantee of liability (non-repudiation), i.e., the owner of a key cannot deny that it belongs to him.
Enforcement of policies, i.e. standardized procedures for the use of certificates.

When installing a new certificate authority certificate, you get the error message "The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)".

Assume the following scenario:

One installs a new certification authority certificate on the certification authority, either because the certification authority was newly installed, or because the certification authority certificate was renewed.
The certification authority certificate was issued by a higher-level certification authority.
During the installation you get the following error message:

Cannot verify certificate chain. Do you wish to ignore the error and continue? The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614 CRYPT_E_NO_REVOCATION_CHECK)

Publishing a certificate revocation list (CRL) fails with the error message "Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)".

Assume the following scenario:

An attempt is made to publish a new certificate revocation list (CRL) on a certification authority
The certificate authority is configured to publish the certificate revocation lists to Active Directory (LDAP CDP).
Publishing the certificate revocation list fails with the following error message:

Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344 ERROR_DS_INSUFF_ACCESS_RIGHTS)

Publishing a certificate revocation list (CRL) fails with the error message "Directory object not found. 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)".

Assume the following scenario:

An attempt is made to publish a new certificate revocation list (CRL) on a certification authority.
The certificate authority is configured to publish the certificate revocation lists to Active Directory (LDAP CDP).
Publishing the certificate revocation list fails with the following error message:

Directory object not found. 0x8007208d (WIN32: 8333 ERROR_DS_OBJ_NOT_FOUND)