Hi there, I have a Domain Controller (W2K3 R2 SP2) / Certificate Authority server called "AD" running IIS, if I create a website to require SSL and certificates it all works fine. When I revoke the certiicate the user get the error message expected. Now if I create a new web server (W2K3 or W2K8) and set it up to have a certificate from the the AD with SSL and require certificate it all works okay but when I revoke the certificate the user still gets access the website. I am using LDAP for the CDP/CRL and when I test the certificate if can see the user certificate has been revoked. Originally I thought it might be a CRL caching issue so after revoking the certificate I rebooted the server and have decreased the delta CRL to 1 hours and reissued all the certificates but still not working as expected. Does any have an Enterprise CA with a secondary web server working correctly with certificate revocation? I have spent the best part of a week on this rebuilding servers and testing configuration. Regards Tim

Hi Tim,Thank you for posting in windows server forums, Can you please provide the error message which clients are getting when opening a website ?

There is no error messge the problem is that the revoked certificate is accepted by the IIS server as valid. After more testing it would seem certificate based network authentication (IAS, 802.X) all check the CRL from LDAP where as IIS seems to use a cached CRL approach. It loads the CRL and then this is not checked again unless it has expired and a new CRL is required.I have tested this by setting the Delta CRL to 30 minutes and after this time my certificate no longer works. This is accceptable by the CryptoAPI as it is up to the application to determine whether to used cached CRL or check for a fresh one, I can understand with potentially 1,000's of web hits per second that cached would be acceptable but for small sites there should be the option to force a CRL check each time.Unless I am wrong I would consider this closed, but if I am wrong can someone please point me to the right documentation.CheersTim Clarkson

Hi Tim, As far as I know, youre right. This problem is caused by the CRL caching. To increase performance, the CryptoAPI caches CRLs and certificates referenced in AIAs. The entries are cached in memory on a per process basis. The chain engine does not purge its memory cache until the object expires and there is no way to force the chain to flush its memory cache except to restart the host process. The benefit of caching CRLs locally is that CryptoAPI will always look for a cached copy first to avoid traversing the network, generating additional download traffic, and introducing latency in the revocation status checking. The disadvantage of local caching is that the client will not look for a new base CRL or delta CRL until the CRL has expired. Therefore, if a revocation has occurred on a CA and a new CRL is published, the client may not download the updated CRL due to having a time valid locally cached copy. For more information, please refer to the following section "CRL and AIA Caching" of article below: Certificate Revocation and Status Checking http://technet.microsoft.com/en-us/library/bb457027.aspx Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.