Revocation Checking

The process of revocation invalidates a certificate before its end validity date using one of the revocation codes mentioned in the previous section. A Microsoft CA publishes certificate status information in the form of CRLs. Third party products use this information to provide revocation information in other formats such as OCSP, SCVP and XKMS.

Prior to checking the status of a certificate, client must first checks a certificate to ensure that is trusted and it is time valid. Every issued certificate has a defined period in which the issuing CA will vouch for the validity of the certificate. The validity period is defined using two fields within the issued certificate.

• NotBefore. This field defines the date and time on which the certificate's validity period begins.
• NotAfter. This field defines the last date on which the certificate is considered valid by the issuing CA. The NotAfter date will never be set to a date later than the NotAfter date defined in the issuing CA's certificate.

If CRL based status checking is used and the certificate is found to have a valid time, the presented certificate is examined to see if it contains a CRL Distribution Point (CDP) extension. The CDP extension indicates both the protocol that must be used to retrieve the CRL (HTTP, FTP, LDAP, or FILE) and the location where the CRL is stored (represented as a URL).

Using this information, CryptoAPI first searches the local certificate stores and the local cache for any CRL signed by the issuer (Certification Authority) of the certificate being validated. A cached version of a current CRL will always be used (as long as it is valid), rather than downloading the same CRL again. The following logic is used to evaluate the CRL:

• If a CRL is found, and the certificate's serial number is listed in this CRL then the certificate will be considered revoked.
• If the CRL is expired and the certificate is listed in the CRL with any reason other than certificate hold, the certificate will be considered to be revoked and no attempt to retrieve a new CRL will be performed.
• If the certificate is not listed in the CRL, or the revocation reason is certificate hold, then a new CRL will be retrieved from the URLs listed in the certificate's CDP. The new CRL is fetched only if it is past the NextUpdate field in the currently held CRL. The new CRL is checked to determine if the certificate is revoked. If the original reason was certificate hold, the CRL is checked to determine if the certificate is unrevoked by looking for the remove from CRL revocation code.
• If the CRL cannot be obtained, the client will generate a "Server offline" error.

Troubleshooting Certificate Status and Revocation
How to Publish the CRL on a Separate Web Server
CRL CDP publication

To publish the CRL

1. On the computer running AD CS, click Start, point to Administrative Tools, and then click Certification Authority.
2. In the console tree, double-click the CA name, right-click Revoked Certificates, point to All Tasks, and then click Publish.
3. If prompted, click New CRL, and then click OK.
4. Click Start, type \\IisServer\SharedFolder$, and then press ENTER.
5. In the SharedFolder$ window, you should see two CRL files named CAName and CAName+.