When issuing certificates for different services and/or users, it may be necessary to be able to revoke (invalidate) a certificate before its expiration date.
Revoking a certificate allows it to be invalidated before its expiration date.
Thus, if you know that a hacker has potentially been able to recover a certificate (as well as its private key) which was on a server or a computer, you have the possibility of revoking it so that it's no longer valid.
Thus, access to the service that was protected with this certificate will be completely blocked.
If it was a user certificate, the user will no longer be able to authenticate using this certificate.
When you revoke a certificate (from the "Certification Authority" console), the serial number of this certificate is added to a revocation list (CRL) or to a delta revocation list (delta CRL).
As you will see in this tutorial, revocation lists (CRLs and delta CRLs) are published periodically and you can also publish these manually if you wish.
By default, these revocation lists are published in the Active Directory and any server or computer member of your Active Directory domain can therefore access them (in the company) via the "ldap" protocol.
Note that the "Issue and Manage Certificates" permission is required to be able to revoke certificates.
To begin, an application may not function properly if revocation lists are not accessible.
Indeed, for security, the application chooses not to work to be sure that a revoked certificate can't be used (by a hacker, for example).
This is notably the case of Citrix XenApp.
This is rather rare, but it's possible that an application doesn't support revocation.
In other words, as long as the certificate is valid for the server, computer or user concerned, it will work. And if you revoke this certificate, the certificate will continue to be "valid" in this specific case since the application will not check if it has been revoked in the meantime.
This is notably the case of the EFS file system (Encrypting File System) which doesn't support revocation during file encryption.
However, revocation is checked by EFS when you attempt to share an encrypted file with other users.
If an application secured using one of your certificates can't access your certificate authority's revocation lists, it's possible that the application refuses to work in this specific case as a security measure.
Indeed, since the application is unable to verify whether or not this certificate has been revoked by your certification authority, it prefers to stop working to prevent you from connecting to a server compromised by a hacker (for example).
As explained previously, by default, these revocation lists are accessible via the "ldap" protocol (in other words : from your Active Directory infrastructure).
If you use a portable PC and leave the company with it, you will not be able to access these revocation lists via the "ldap" protocol.
To solve the problem, you will have to add the "HTTP" protocol with an address that is always accessible by your client computers for access to the revocation lists (CRL and CRL delta) of your certification authority.
As you will see in this tutorial, by default, revocation lists (CRLs) are published weekly and a delta revocation list (delta CRL) is published daily.
Which means that there will always be a delay between the moment you revoke a certificate and the moment when the serial number of this certificate appears in a revocation list (CRL) or a delta revocation list (delta CRL).
In addition, when a client workstation checks the revocation of a certificate, it downloads a copy of your revocation lists (CRL and CRL delta) and it keeps these copies in cache for a certain time (delay = at the frequency of publication of these revocation lists).
This means that there may also be a delay between the moment when the serial number of the revoked certificate has been added to a revocation list (CRL or CRL delta) and the moment when the client becomes aware of this revocation.
Note that you can force the revocation check by clearing the revocation cache of the client workstation by running the command :
Batch
certutil -setreg chain\ChainCacheResyncFiletime @now
The use of the client-side cache allows you not to saturate the bandwidth of your certification authority by avoiding re-downloading your revocation lists each time your client workstation must check the revocation of one of your certificates.
To start, we secured an IIS web server with a valid certificate from our certification authority.
To revoke a certificate, open the "Certification Authority" console, go to the "Issued Certificates" section and locate the desired certificate.
If needed, double click on it to get more information about it.
You can also check its serial number in the "Details" tab to be sure that it's the correct certificate.
Once you find the certificate you want to revoke, right click "All Tasks -> Revoke Certificate" on it.
In the "Certificate Revocation" window that appears, you can select a revocation reason :
For this tutorial, we will choose "Key Compromise" (for example).
You can also choose a date from which this certificate will be revoked.
Default : now.
The revoked certificate disappears from the list of issued certificates.
The revoked certificate will appear in the list of revoked certificates.
If you double click on it, you will be able to get information about it again.
You can also double-check its serial number if you wish.
Now that this certificate has been revoked, you must add its serial number to one of your revocation lists so that your client workstations can know that it has been revoked.
To do this, right-click "All Tasks -> Publish" on the "Revoked Certificates" folder.
Choose "New CRL" to publish a complete "CRL".
As you can see, you have the choice between :
To verify that the revoked certificate has been added to the certificate revocation list (CRL), right-click "Properties" on the "Revoked Certificates" folder.
In the "View CRLs" tab, you can see that a revocation list has just been published.
To obtain information about it, click on the "View CRL" button.
In the "Certificate Revocation List" window that appears, go to the "Revocation List" tab.
In this "Revocation List" tab, you will see the list of serial numbers of revoked certificates on your certification authority.
If you select a serial number from this list, you will be able to see when and why it was revoked.
In our case, we can see that we revoked this certificate for : Key compromised.
If you attempt to access the secure service using the certificate you have just revoked, an error will occur.
In our case, if we try to access our web server with Internet Explorer, the error "This organization's certificate has been revoked" appears and access to the desired website is completely blocked.
Indeed, as you can see, when a certificate is revoked, you can't ignore this security issue.
However, it's also possible that you still have access to this same service from other servers or client workstations.
Indeed, as explained above, clients keep a copy of your revocation lists in cache for a certain time (which corresponds to the frequency of publication of these).
When a client checks if one of your certificates has been revoked, he downloads a copy of your revocation lists (CRLs and CRL delta) and keeps them for a certain period of time.
To find out how long these copies will be kept in the cache of your client computer, open the "Certification Authority" console (on your CA server) and right-click "Properties" on the "Revoked Certificates" folder.
If you go to the "CRL Publishing Parameters" tab, you will be able to see how often :
On the client side, copies of these lists will be kept for the time indicated here for each of them.
To force a client-side revocation status update, clear your web browser's cache.
Erase everything.
Then, open a command prompt and force the update of the revocation cache of your computer or server by running the command :
Batch
certutil -setreg chain\ChainCacheResyncFiletime @now
Now, if you open your web browser again and attempt to re-access the secure website with a revoked certificate, you will see the "This organization's certificate has been revoked" error.
Articles 9/8/2023
Windows Server 12/15/2023
Windows Server 10/20/2023
Windows Server 9/15/2023
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment