Certificate revocation list (CRL)

Basics: Delta revocation lists

Certificate revocation lists (CRLs) are used to remove issued certificates from circulation before the end of their validity period.

A CRL is a signed list of the serial numbers of certificates that have been revoked by the certification authority. The revocation list has an expiration date (usually a few days short) and is reissued and signed by the associated certification authority at regular intervals.

Certificate revocation lists can reach a considerable size if the volume of revoked certificates is high (as a rule of thumb, you can expect about 5 megabytes per 100,000 entries). The regular download of large certificate revocation lists by subscribers can generate a large network load. To address this problem, there is the concept of delta revocation lists.

Roles in a public key infrastructure

Understanding the roles involved is essential for designing a public key infrastructure.

The term "public key infrastructure" encompasses much more than the technical components and is often misleadingly used.

In summary, a public key infrastructure is both an authentication technology and the totality of all the components involved.

Sending S/MIME encrypted messages with Outlook for iOS is not possible: "There's a problem with one of your S/MIME encryption certificates."

Assume the following scenario:

The certificates were transferred to the smartphone via the Intune Connector.
Reading encrypted messages works.
However, when enabling encryption for outgoing messages, the following error message is displayed:

There's a problem with one of your S/MIME encryption certificates. Contact your IT help desk for more info.

There is a problem with one of your S/MIME encryption certificates. Contact your IT help desk for more information.

Logon error with Windows Hello for Business: "Contact the system administrator and tell them that the KDC certificate could not be verified."

Assume the following scenario:

The company is using Windows Hello for Business.
Users receive the following error message when logging in to the client:

Sign-in failed. Contact your system administrator and tell them that the KDC certificate could not be validated. Additional information may be available in the system event log.

Basics of online responders (Online Certificate Status Protocol, OCSP)

Certificates usually have a "CRL Distribution Points" extension that tells an application where the certificate's associated Certificate Revocation List (CRL) can be found.

This is like a telephone directory: It contains all the serial numbers of certificates that have been recalled by the certification authority (and are still valid). Every application that checks the revocation status must download and evaluate the entire revocation list.

As the size increases, this procedure becomes increasingly inefficient. As a rule of thumb, 100,000 recalled certificates already correspond to approx. 5 MB file size for the revocation list.

The Online Certificate Status Protocol (OCSP) was developed for this purpose (under the leadership of ValiCert): It is similar to a directory assistance service where applications can request the revocation status for individual certificates, thus eliminating the need to download the entire CRL. OCSP is available in the RFC 6960 specified.

The online responder (OCSP) reports "The object identifier does not represent a valid object. 0x800710d8 (WIN32: 4312 ERROR_OBJECT_NOT_FOUND)".

Assume the following scenario:

An online responder (OCSP) is configured on the network.
OCSP is enabled for a certificate authority and a revocation configuration is set up.
The management console for the online responder displays the following status for the revocation configuration:

Type: Microsoft CRL-based revocation status provider.
The revocation provider failed with the current configuration. The object identifier does not represent a valid object. 0x800710d8 (WIN32: 4312 ERROR_OBJECT_NOT_FOUND), 0x800710d8

Revocation of an issued certificate fails with error message "The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)".

Assume the following scenario:

A certificate is revoked via the command line (certutil -revoke).
The operation fails with the following error message:

ICertAdmin::RevokeCertificate: The data is invalid. 0x8007000d (WIN32: 13 ERROR_INVALID_DATA)

Treatment of expired certificates when issuing certificate revocation lists

By default, the Microsoft Certification Authority removes the serial numbers of expired certificates from the revocation lists it issues.

However, there are some exceptions to this.

Google Chrome and Microsoft Edge do not check certificate revocation state

More and more companies are using the Google Chrome browser or the new Chromium-based Microsoft Edge (codename Anaheim) on.

When distributing one of these two browsers, it should be noted that they sometimes behave differently from other browsers in terms of certificates.

Besides the fact that Chromium, unlike Internet Explorer and the previous Edge (codename Spartan) the RFC 2818 enforces, it also behaves in the Checking blocking information different.

Details of the event with ID 130 of the source Microsoft-Windows-CertificationAuthority

Event Source:	Microsoft-Windows-CertificationAuthority
Event ID:	130 (0x82)
Event log:	Application
Event type:	Error
Symbolic Name:	MSG_E_CRL_CREATION
Event text (English):	Active Directory Certificate Services could not create a certificate revocation list. %1. This may cause applications that need to check the revocation status of certificates issued by this CA to fail. You can recreate the certificate revocation list manually by running the following command: "certutil -CRL". If the problem persists, restart Certificate Services.
Event text (German):	No certificate revocation list could be created by Active Directory Certificate Services. %1. This may cause an error to occur in applications that require checking the revocation status of certificates issued by this certificate authority. The certificate revocation list can be manually recreated by running the following command: "certutil -CRL". If the problem persists, restart Certificate Services.

Details of the event with ID 131 of the source Microsoft-Windows-CertificationAuthority

Event Source:	Microsoft-Windows-CertificationAuthority
Event ID:	131 (0x83)
Event log:	Application
Event type:	Warning
Event text (English):	An invalid OID has been detected in the EKUOIDsForPublishExpiredCertInCRL configuration setting. To resolve, run: "certutil -getreg ca\EKUOIDsForPublishExpiredCertInCRL" to identify the invalid OID and correct it. The default OIDs ("1.3.6.1.5.5.7.3.3" and "1.3.6.1.4.1.311.61.1.1") will be used.
Event text (German):	An invalid OID was detected in the EKUOIDsForPublishExpiredCertInCRL configuration setting. To fix it, run the certutil -getreg ca\EKUOIDsForPublishExpiredCertInCRL command to detect and correct the invalid OID. The default OIDs ("1.3.6.1.5.7.3.3" and "1.3.6.1.4.1.311.61.1.1") are used.

Details of the event with ID 74 of the source Microsoft-Windows-CertificationAuthority

Event Source:	Microsoft-Windows-CertificationAuthority
Event ID:	74 (0x4A)
Event log:	Application
Event type:	Error
Symbolic Name:	MSG_E_BASE_CRL_PUBLICATION_HOST_NAME
Event text (English):	Active Directory Certificate Services could not publish a Base CRL for key %1 to the following location on server %4: %2. %3.%5%6
Event text (German):	Failed to publish a base certificate revocation list for key %1 at the following location on server "%4": %2. %3.%5%6

Details of the event with ID 75 of the source Microsoft-Windows-CertificationAuthority

Event Source:	Microsoft-Windows-CertificationAuthority
Event ID:	75 (0x4B)
Event log:	Application
Event type:	Error
Symbolic Name:	MSG_E_DELTA_CRL_PUBLICATION_HOST_NAME
Event text (English):	Active Directory Certificate Services could not publish a Delta CRL for key %1 to the following location on server %4: %2. %3.%5%6
Event text (German):	Failed to publish delta certificate revocation list for key %1 at the following location on server "%4": %2. %3.%5%6

Details of the event with ID 65 of the source Microsoft-Windows-CertificationAuthority

Event Source:	Microsoft-Windows-CertificationAuthority
Event ID:	65 (0x41)
Event log:	Application
Event type:	Error
Symbolic Name:	MSG_E_BASE_CRL_PUBLICATION
Event text (English):	Active Directory Certificate Services could not publish a Base CRL for key %1 to the following location: %2. %3.%5%6
Event text (German):	No base certificate revocation list could be published for the key %1 at the following location: %2. %3.%5%6

Details of the event with ID 66 of the source Microsoft-Windows-CertificationAuthority

Event Source:	Microsoft-Windows-CertificationAuthority
Event ID:	66 (0x42)
Event log:	Application
Event type:	Error
Symbolic Name:	MSG_E_DELTA_CRL_PUBLICATION
Event text (English):	Active Directory Certificate Services could not publish a Delta CRL for key %1 to the following location: %2. %3.%5%6
Event text (German):	Failed to publish delta certificate revocation list for key %1 at the following location: %2. %3.%5%6