Hi @all, We have a Windows Server 2008 R2 Enterprise CA which issued a Webserver certificate for a IIS 7.5. If I revoke the certificate in the CA MMC and rebuild the CRL, Windows 7 clients with IE9 (CRL checking in IE is enabled) can still access the website without any error message that the certificate has been revoked. The Windows 7 clients have the correct CRL, the CRL cache is empty. If i try to open the website with Firefox on the same windows 7 clients, I get the message that the certificate has been revoked. The same on a Windows XP machine and a Windows Server 2008 R2. We are not using OCSP. So my question is: Is this problem with the CRL check specific on Windows 7 clients? If this is the case are there any settings which has to be configured to get the CRL check working on Windows 7 clients? Thanks in advanceregards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

try to invalidate all existing CRLs and check again: certutil –getreg chain\ChainCacheResyncFiletime @now I believe that the problem is with cached CRL. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi, we already tried this without luck :-( Any other hints?regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

try to invalidate all existing CRLs and check again: certutil –setreg chain\ChainCacheResyncFiletime @now I believe that the problem is with cached CRL. My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi Marc, Replace the -getreg with -setreg in the command for a test. Then, all cached entries will be invalidated immediately. certutil -setreg chain\ChainCacheResyncFiletime @now For more information, please refer to: http://blogs.technet.com/b/pki/archive/2007/09/13/how-to-refresh-the-crl-cache-on-windows-vista.aspx Hope this helps. Regards, Bruce Forum Support Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Hi Bruce, thank you very much for the quick response but we already did that what the blog post said, but with no luck.regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

Most applications cache the current CRL and won't download it again until the one that is currently cached reaches the end of its validity period. This is PKI functioning as designed per the latest RFC. If you're worried about this, you may want to think about reducing your CRL validity period or implementing OCSP instead.

Most applications cache the current CRL and won't download it again until the one that is currently cached reaches the end of its validity period. This is PKI functioning as designed per the latest RFC. If you're worried about this, you may want to think about reducing your CRL validity period or implementing OCSP instead. Please remember that OCSP responses are cached as well depending on the NetxUpdate and NextPublish fields in the OCSP response, for more information please read the TechNet articles about "Pre-Fetching" http://technet.microsoft.com/de-de/library/ee619723(WS.10).aspx and "How Certificate Revocation Works" http://technet.microsoft.com/de-de/library/ee619754(WS.10).aspx /Hasain

Most applications cache the current CRL and won't download it again until the one that is currently cached reaches the end of its validity period. This is PKI functioning as designed per the latest RFC. If you're worried about this, you may want to think about reducing your CRL validity period or implementing OCSP instead. Please remember that OCSP responses are cached as well depending on the NetxUpdate and NextPublish fields in the OCSP response, for more information please read the TechNet articles about "Pre-Fetching" http://technet.microsoft.com/de-de/library/ee619723(WS.10).aspx and "How Certificate Revocation Works" http://technet.microsoft.com/de-de/library/ee619754(WS.10).aspx /Hasain Topic starter already has tried to invalidate all cached CRLs/OCSP responses.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Please try to enable notifications when Internet Explorer cannot reach the certificate revocation service, the default behavior is to consider an inaccessible CRL as a "false positive" and not display any errors/warnings. To enable the notification search for FEATURE_WARN_ON_SEC_CERT_REV_FAILED in this TechNet article http://msdn.microsoft.com/en-us/library/ee330735(v=vs.85).aspx /Hasain