Hello, we implementing User signing documents Certificates, certificate was issued and installed to user's personal certificates, then revoked, but user still can sign and wiev documents with it. Certificate path looks valid. Thanks for any advice.

On Thu, 12 May 2011 08:45:50 +0000, Steysha wrote: Hello, we implementing User signing documents Certificates, certificate was issued and installed to user's personal certificates, then revoked, but user still can sign and wiev documents with it. Certificate path looks valid. Thanks for any advice. I'm not sure what kind of advice you're looking for here. The signing operation itself doesn't do revocation checking so you're seeing the expected behaviour. If someone else were to view the signed document, the application being used to view the document should be doing revocation checking and will report that the signature is invalid. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca An elephant is a mouse with an operating system.

Hello, thanks for your reply, but my problem is - when i do "certutil -verify" i can see the certificate is revoked, but when i look on installed user certificate (for example thru mmc certificated snapin) it is looks valid and i can view the documents.

when you open a certificate from a file or from Certificates MMC snap-in no revocation check is performed. It just builds certificate chain and nothing else.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Hm, thanks, it is useful information. But at signed documents there is revocation check, but sign looks valid. Actually next research shows it is the cache issue. So manually delete crl cache helps, but how can i check frequency of cache cleaning, and can i change it in some way?

On Fri, 13 May 2011 13:55:05 +0000, Steysha wrote: But at signed documents there is? revocation check, but sign looks valid. Actually next research shows it is the cache issue. So manually delete crl cache helps, but how can i check frequency of cache cleaning, and can i change it in some way? The only way to change the cache frequency is to change the publication period of the CRL. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca In computer science, we stand on each other's feet. -- Brian Reid

Many thanks, i'll test it.)