I have setup a PKI 

The basic setup is like 
First Root CA
Second Enterprise CA 

In enterprise CA there is template to issue client computers with a USER Certificate 

User uses Web server to request a template . To cut it short every thing is working fine.  The only problem i am facing when i revoke a user certificate for client computer. It still show OK on client computer. 

On server side there is no problem. This is even not working when i manualy install the new CRL and delta CRL .

There is no visible problem in PKIVIEW.

When i go to client computer and do certmgr.msc every thing seen is fine there Any Idea what could be possible cause. 
The Client computer is getting the revocation information but actually not revoking it.

When you revoked the certificate, did you then manually publish a new CRL? If you just right clicked, Revoked, it wont go into the CRL until the next publication period.

Secondly, computers cache revocation information, so even if you do manually publish the CRL, if a computer has previously looked at and retrieved the CRL, it will cache it and not look for a new one until the next interval is up. So it could take a bit before a computer would see it - that is normal for PKI.

If your intent is to stop a computer from being able to authenticate and  you revoke the certificate, you should also disable the computer object in AD. That is immediate and even though the certificate is still valid, if your access control system (VPN, Wifi, etc..) is looking at AD for authentication, it will see the disabled computer and prevent the connection.

Yes I have manually publish the CLR and delta crl commands. 

The certificates are not revoking even after weeks, CRL time was set for 1 week and delta CRL for 3 days.

I have reduce the delta CRL time to 12 hours for testing purpose but no luck. I cleared the cache through certutil command many time.
On client computer who certificate i have revoked  If I go to certmgr.msc in there at --Intermediate Certification Authority --Certificate Revocation list Folder --Certificate Revocation list. The information of revoked certificates can be seen but it is just revoking the actual certificate. 

I have run this command on the client machine whos certificate should be revoked 

Certutil -f -urlfetch -verify clientcertifiate.cer(I have revoked this certificate)


Issuer:
    CN=MYCOMANY Limited Issuing CA
    O=MYCOMANY Limited
    C=PK
Subject:
    E=xxxearn@yahoo.com
    CN=PKI TEST
    DC=MYCOMANY
    DC=com
Cert Serial Number: 14181ca60000000000ca

dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=40
  Issuer: CN=MYCOMANY Limited Issuing CA, O=MYCOMANY Limited, C=PK
  NotBefore: 7/31/2015 12:11 PM
  NotAfter: 7/30/2017 12:11 PM
  Subject: E=xxxearn@yahoo.com, CN=PKI TEST, DC=MYCOMANY, DC=com
  Serial: 14181ca60000000000ca
  SubjectAltName: Other Name:Principal Name=PKITEST@mycomany.com, RFC822 Name=xxxearn@yahoo.com
  Template: MYCOMANY Limited Users
  20 32 72 42 9a ce cc 5a f1 a6 f7 05 b9 5e 7d c3 27 d7 af 7c
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] ldap:///CN=MY%20Comany%20Limited%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mycomany,DC=com?cACertificate?base?objectClass=certificationAuthority

  Failed "AIA" Time: 0
    Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)
    http://www.mycomany.com/CertData/CA-ENT.mycomany.com_MY%20Comany%20Limited%20Issuing%20CA.crt

  Verified "Certificate (0)" Time: 0
    [2.0] http://ca-ent.mycomany.com/CertEnroll/CA-ENT.mycomany.com_MY%20Comany%20Limited%20Issuing%20CA.crt

  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[2] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=MYCOMPANY Limited root CA, O=MYCOMPANY Limited, C=PK
  NotBefore: 6/2/2015 3:14 PM
  NotAfter: 6/2/2025 3:24 PM
  Subject: CN=MYCOMANY Limited Issuing CA, O=MYCOMANY Limited , C=PK
  Serial: 61a5c82f000000000002
  Template: SubCA
  27 dd 31 af f3 a3 7e 8f d4 ae 1c 79 a3 5f 74 10 26 be a0 65
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] ldap:///CN=MY%20COMPANY%20Limited%20ROOT%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mycomany,DC=com?cACertificate?base?objectClass=certificationAuthority

  Failed "AIA" Time: 0
    Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)
    http://www.mycompany.com/CertData/CA-ROOT_MY%20comany%20Limited%20ROOT%20CA.crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (02)" Time: 0
    [0.0] ldap:///CN=MY%20Comany%20Limited%20ROOT%20CA,CN=CA-ROOT,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=mycompany,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Failed "CDP" Time: 0
    Error retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)
    http://www.mycompany.com/Certdata/MY%20COMPANY%20Limited%20ROOT%20CA.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
    CRL 02:
    Issuer: CN=My Comany Limited ROOT CA, O=MYCOMANY Limited, C=PK
    32 5a f5 31 e5 fc 75 5d 7f e4 bd b6 d2 22 86 9b 7d 49 87 e6

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=My Comany Limited ROOT CA, O=My Comany Limited, C=PK
  NotBefore: 6/2/2015 12:20 PM
  NotAfter: 6/2/2035 12:30 PM
  Subject: CN=MY COMANY Limited ROOT CA, O=MY COMANY Limited, C=PK
  Serial: 534305db3c05a4a44ade330af75e9bfd
  1b d1 e9 9d 63 5a 77 9f 6b ed ba a4 53 ae 9d 3e e7 13 0f 80
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
  Issuance[0] = 1.3.6.1.4.1.45904.509.3.1 

Exclude leaf cert:
  36 c9 02 0c 21 61 74 ca 68 f2 d3 69 63 1b 7a e0 b8 64 55 ae
Full chain:
  c1 6e c7 1e 97 82 e7 bf 23 fa e4 14 5a cc 8f e5 21 28 08 65
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
    1.3.6.1.5.5.7.3.2 Client Authentication
    1.3.6.1.5.5.7.3.4 Secure Email
    1.3.6.1.4.1.311.10.3.4 Encrypting File System
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.

Your issuing CA has no revocation information configured or stamped into certificates you are issuing. Additionally, the CDP location defined by the root and stamped into the Issuing CA's certificate is invalid ( http://www.mycompany.com/Certdata/MY%20COMPANY%20Limited%20ROOT%20CA.crl) - appears to be a name resolution issue. Revocation will never work in the environment unless you manually copy the revocation information to each computer and manually import it. You will need to reconfigure your CAs, reissue all the subordinate CAs and reissue client certificates.

  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0

Thanks for your reply its really helpfull.

The only thing is if i do it manually and install the latest CRL it still did not work.

The Information present in Client computer

 

In the above the serial number in the same revoked certificate which is issued to same client computer.Client computer getting the information ???  

The issue is that your client certificate has NO CDP extension in it, so it is un-revocable. You need to correctly define the CDP extension on your Issuing CA and then reissue this client certificate.

Thanks you are right however as i am doing lot of testing some thing went wrong earlier.Please see the recent certificate information it have a CDP location in it. Plus the certificate is getting the revoked information. 

---------------------------------------------------------------------------------------------------------------------

Issuer:
    CN=   Issuing CA
    O=  
    C=PK
Subject:
    E=sxxx@yahoo.com
    CN=PKI TEST
    DC=n
    DC=com
Cert Serial Number: 613ca6cb000000223d6

dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=4
  Issuer: CN=   Issuing CA, O=  , C=PK
  NotBefore: 8/3/2015 4:07 PM
  NotAfter: 8/2/2017 4:07 PM
  Subject: E=salmanearn@yahoo.com, CN=PKI TEST, DC=n, DC=com
  Serial: 613ca6cb0000000000d6
  SubjectAltName: Other Name:Principal Name=PKITEST@n.com, RFC822 Name=salmanearn@yahoo.com
  Template:    Users
  7c 8c 0e 71 92 9b 0d 41 96 a2 0a 5f 7b fd e6 30 50 5a 37 2d
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] ldap:///CN=%20%20%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=n,DC=com?cACertificate?base?objectClass=certificationAuthority

  Failed "AIA" Time: 0
    Error retrieving URL: Error 0x80190194 (-2145844844)
    http://www.n.com/CertData/CA-ENT.n.com_%20%20%20Issuing%20CA.crt

  Failed "AIA" Time: 0
    Error retrieving URL: Error 0x801901f8 (-2145844744)
    http://ca-ent.n.com/CertEnroll/CA-ENT.n.com_%20%20%20Issuing%20CA.crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (031d)" Time: 0
    [0.0] ldap:///CN=%20%20%20Issuing%20CA,CN=CA-ENT,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=n,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Old Base CRL "Delta CRL (031d)" Time: 0
    [0.0.0] ldap:///CN=%20%20%20Issuing%20CA,CN=CA-ENT,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=n,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Failed "CDP" Time: 0
    Error retrieving URL: Error 0x80190194 (-2145844844)
    [0.1.0] http://www.n.com/CertData/%20%20%20Issuing%20CA+.crl

  Failed "CDP" Time: 0
    Error retrieving URL: Error 0x801901f8 (-2145844744)
    [0.2.0] http://ca-ent.n.com/CertEnroll/revoke+.crl

  Failed "CDP" Time: 0
    Error retrieving URL: Error 0x80190194 (-2145844844)
    http://www.n.com/CertData/%20%20%20Issuing%20CA.crl

  Failed "CDP" Time: 0
    Error retrieving URL: Error 0x801901f8 (-2145844744)
    http://ca-ent.n.com/CertEnroll/revoke.crl

  ----------------  Base CRL CDP  ----------------
  OK "Base CRL (031d)" Time: 0
    [0.0] ldap:///CN=%20%20%20Issuing%20CA,CN=CA-ENT,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=n,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Old Base CRL "Delta CRL (031d)" Time: 0
    [0.0.0] ldap:///CN=%20%20%20Issuing%20CA,CN=CA-ENT,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=n,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Failed "CDP" Time: 0
    Error retrieving URL: Error 0x80190194 (-2145844844)
    [0.1.0] http://www.n.com/CertData/%20%20%20Issuing%20CA+.crl

  Failed "CDP" Time: 0
    Error retrieving URL: Error 0x801901f8 (-2145844744)
    [0.2.0] http://ca-ent.n.com/CertEnroll/revoke+.crl

  Failed "CDP" Time: 0
    Error retrieving URL: Error 0x80190194 (-2145844844)
    http://www.n.com/CertData/%20%20%20Issuing%20CA+.crl

  Failed "CDP" Time: 0
    Error retrieving URL: Error 0x801901f8 (-2145844744)
    http://ca-ent.n.com/CertEnroll/revoke+.crl

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
    CRL 031d:
    Issuer: CN=   Issuing CA, O=  , C=PK
    81 06 49 ab b6 b1 e9 5b 8f 78 7b 63 9b 97 df 9e 61 44 af 56
  Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[1] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[2] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=   ROOT CA, O=  , C=PK
  NotBefore: 6/2/2015 3:14 PM
  NotAfter: 6/2/2025 3:24 PM
  Subject: CN=   Issuing CA, O=  , C=PK
  Serial: 61a5c82f000000000002
  Template: SubCA
  27 dd 31 af f3 a3 7e 8f d4 ae 1c 79 a3 5f 74 10 26 be a0 65
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] ldap:///CN=%20%20%20ROOT%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=n,DC=com?cACertificate?base?objectClass=certificationAuthority

  Failed "AIA" Time: 0
    Error retrieving URL: Error 0x80190194 (-2145844844)
    http://www.n.com/CertData/CA-ROOT_%20%20%20ROOT%20CA.crt

  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (02)" Time: 0
    [0.0] ldap:///CN=%20%20%20ROOT%20CA,CN=CA-ROOT,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=n,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Failed "CDP" Time: 0
    Error retrieving URL: Error 0x80190194 (-2145844844)
    http://www.n.com/Certdata/%20%20%20ROOT%20CA.crl

  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
    CRL 02:
    Issuer: CN=   ROOT CA, O=  , C=PK
    32 5a f5 31 e5 fc 75 5d 7f e4 bd b6 d2 22 86 9b 7d 49 87 e6

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=   ROOT CA, O=  , C=PK
  NotBefore: 6/2/2015 12:20 PM
  NotAfter: 6/2/2035 12:30 PM
  Subject: CN=   ROOT CA, O=  , C=PK
  Serial: 534305db3c05a4a44ade330af75e9bfd
  1b d1 e9 9d 63 5a 77 9f 6b ed ba a4 53 ae 9d 3e e7 13 0f 80
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
  Issuance[0] = 1.3.6.1.4.1.45904.509.3.1 

Exclude leaf cert:
  a1 4e 11 0e bf 0f aa 0c 92 31 4c fd eb 5a 64 98 9b d7 9f 7e
Full chain:
  d1 07 5b 25 5b f2 df c0 09 97 8a 66 6d 83 15 54 2b 46 92 0d
  Issuer: CN=   Issuing CA, O=  , C=PK
  NotBefore: 8/3/2015 4:07 PM
  NotAfter: 8/2/2017 4:07 PM
  Subject: E=sxxxarn@yahoo.com, CN=PKI TEST, DC=n, DC=com
  Serial: 613ca6cb0000000000d6
  SubjectAltName: Other Name:Principal Name=PKITEST@n.com, RFC822 Name=xxn@yahoo.com
  Template:    Users
  7c 8c 0e 71 92 9b 0d 41 96 a2 0a 5f 7b fd e6 30 50 5a 37 2d
The certificate is revoked. 0x80092010 (-2146885616)
------------------------------------
Certificate is REVOKED
Leaf certificate is REVOKED (Reason=0)
CertUtil: -verify command completed successfully.

We are using these certificates for digital signatures as well. Using adobe to sign the document. I have manually deleted the certificate from the following folder .

After deleting the certificate from the above folder the adobe is doing the desired function :) . Also want to add i only delete the certificate manually but The new crl was loaded automatically in adobe CRL chache folder.

Unfortunately after doing there is one thing the actuall certificate is still showing valid in certmanger.msc personal folder --- The certificate is valid out there.

I have felling i m close but its still not over until its over .

Thanks

Thanks for sharing the screenshot. That appears to be an adobe CRL cache, so you would need to talk with Adobe about how their CRL cache is maintained. Windows sees the certificate as revoked, but they appear to be doing their own revocation checking and/or CRL caching.

Thanks for your feed back. However i think you miss understood that. I have sorted the adobe problem.

But on windows client computer the client certificate is still showing valid even though when i run 

Certutil -f -urlfetch -verify clientcertifiate.cer

The result is showing revoked.  Confusion :). I 

Where in the UI are you still seeing it is valid? The certutil -urlfetch will check the latest published CRL and its possible there is still an older, yet valid CRL on the client. You can run the following command to invalidate all cached CRLs in the OS and see if the UI reflects the correct state.

certutil setreg chain\ChainCacheResyncFiletime @now

Thanks a lot for replies.

On Client Computer 

When run 

certmgr.msc

in ---Personal folder:

Client Certificate is present there.

when open this client certificate double click

The Client Certificate is still showing valid I feel should be showing a red mark :) 

 

certmgr.msc does not show revocation status when you view a certificate. Never has in the past, probably never will in the future. If it shows as revoked when you run Certutil -f -urlfetch -verify clientcertifiate.cer, then the cert is revoked

Brian

• Proposed as answer by Brian Komar [MVP]MVP 18 hours 11 minutes ago
• Marked as answer by samearn 54 minutes ago

Brian Thanks a load for taking me this far. Its working fine now :)