Revoked SSL certificate showing OK
This is probably a complete newbie question, but I am stuck. I have been asked to implement a PKI solution, and I am having some issues. I wanted to test revocation of a cert and I thought that doing an SSL cert would be the easiest because I have the server and client parts already there. So I issued a web certificate and installed it onto a website. Once I verified that okay, I revoked the certificate through the CA management tools and forced a publication of the CRLs. I then opened the website, and IE did not complain. I figured that this was a cache issue with the CRL, so I waited until the delta CRL would expire, and I tried again. Once again the cert was OK (no complaints from IE). I looked in the certificates MMC and noticed that the serial number for the certificate was in cached CRL, so I was confused and decided to go home and research it over the weekend. I did not find anything (it must be such a newbie thing that no one is talking about it), so when I came in this morning I tried again. Still the site is okay even though the certificate is now in the base CRL in cache. What is going on? Why does IE not find that this is a bad certificate? Certutil says it is revoked, but IE is ok with it. Any help would be appreciated, Mark
June 9th, 2008 8:30pm

What version of IE are you using? What OS are you using?Did you check that CRL checking is enabled in IE (It is not in earlier versions).1. Tools, Internet Options2. On the Advanced tab, in the Security section, ensure that the following option is enabled:Check for Server Certificate Revocation.The words may be a little different in your version.The initial behavior was correct though, the previous CRL is maintained in cache until it is no longer time valid.But, the new delta CRL publication should render the certificate as revoked Brian
Free Windows Admin Tool Kit Click here and download it now
June 10th, 2008 4:23pm

I am using IE 6 (default installation with Windows 2003). The option that you mention was NOT enabled. Once enabled, the behavior is as expected: I got a message that the site could not be trusted and did not load.Thanks,mark
June 10th, 2008 5:24pm

No problem, Mark.The default behavior is changed for IE 7 and is enabled by default.Brian
Free Windows Admin Tool Kit Click here and download it now
June 10th, 2008 6:52pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics