Revoke certificate
Hello, we implementing User signing documents Certificates, certificate was issued and installed to user's personal certificates, then revoked, but user still can sign and wiev documents with it. Certificate path looks valid.
Thanks for any advice.
May 12th, 2011 4:51am
On Thu, 12 May 2011 08:45:50 +0000, Steysha wrote:
Hello, we implementing User signing documents Certificates, certificate was issued and installed to user's personal certificates, then revoked, but user still can sign and wiev documents with it. Certificate path looks valid.
Thanks for any advice.
I'm not sure what kind of advice you're looking for here. The signing
operation itself doesn't do revocation checking so you're seeing the
expected behaviour. If someone else were to view the signed document, the
application being used to view the document should be doing revocation
checking and will report that the signature is invalid.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
An elephant is a mouse with an operating system.
Free Windows Admin Tool Kit Click here and download it now
May 12th, 2011 5:34am
Hello, thanks for your reply, but my problem is - when i do "certutil -verify" i can see the certificate is revoked, but when i look on installed user certificate (for example thru mmc certificated snapin) it is looks valid and i can view the documents.
May 13th, 2011 3:10am
when you open a certificate from a file or from Certificates MMC snap-in no revocation check is performed. It just builds certificate chain and nothing else.My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2011 5:01am
Hm, thanks, it is useful information.
But at signed documents there is revocation check, but sign looks valid. Actually next research shows it is the cache issue. So manually delete crl cache helps, but how can i check frequency of cache cleaning, and can i change it in some way?
May 13th, 2011 9:55am
On Fri, 13 May 2011 13:55:05 +0000, Steysha wrote:
But at signed documents there is? revocation check, but sign looks valid. Actually next research shows it is the cache issue. So manually delete crl cache helps, but how can i check frequency of cache cleaning, and can i change it in some way?
The only way to change the cache frequency is to change the publication
period of the CRL.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
In computer science, we stand on each other's feet. -- Brian Reid
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2011 11:26am
Many thanks, i'll test it.)
May 16th, 2011 4:49am