Certificate revokation

Discussion in 'Server Security' started by Miha Pihler, Sep 12, 2004.

  1. Miha Pihler

    Miha Pihler Guest


    How long it takes depends on configuration of your CRL publication
    configuration. If you left it at e.g. default value of 1 week then yes, it
    could take that long for all the clients to get revocation information about
    newly revoked certificates. Windows 2003 CA and Windows XP also support
    delta CRL that can be published every few hours with only the changes since
    last full CRL list was published.

    Even if you publish CRL manually, CRL has its "life time" and during this
    life time it is valid. As long as it is valid clients can cache it and use
    it -- this among other things allows clients to work off-line when they
    can't download new CRL. There is no 100% way to tell the client to go and
    get new CRL. You could try and erase cached CRL by deleting offline internet
    files, but like I said there is no 100% way to do it.

    Certificate revocation should not be your primary way to keep your users out
    of your systems. If you simply disable users account in e.g. domain, this
    will keep them out practically immediately

    Miha Pihler, Sep 12, 2004
    1. Advertisements

  2. Miha Pihler

    Guest Guest


    I have installed CA server and issued certificates for the clients.

    Now I want to revoke some, how long wil the revoke will take place that
    those users cannot logon to the network, can it take a Week?

    Guest, Sep 12, 2004
    1. Advertisements

  3. Shay,

    The revocation will be in effect when you issue the first CRL after
    revocating the certificate.

    But, as Miha pointed out, the old CRL will probably have a lifetime
    that extends past the newly issued CRL, and for all users, client
    computers and servers who have cached the old CRL, the publication
    of the new revocation will not be noticed untill the old CRL has

    So, if you by "revocation will be immediately" mean that the
    certificate will be rejected immediately, you will have to use a
    OCSP (Online Certificate Status Protocol) service (not provided by

    As Miha pointed out, and I have pointed out in previous discussions
    regarding the use of CRLs, you will have to use other means to
    prevent the revoked user access. Certificates are used for
    authentication. For authorization, you probably have Active

    If you still feel that revocation is the only way to achieve your
    goal, the you could reduce the CRL lifetime and publication
    interval. Just remember to take network propagation (domain
    replication) in account, so a live CRL would always be available.

    For an issuing CA, I would recommend a lifetime of two hours, with
    one hour publication interval. Even with three domain replication
    intervals (45mins) you would have more than one hour lifetime left
    of the CRL. But it also means that you would still have up to two
    hours in which your revoked certificate still can be used.

    Lars Olaussen
    Lars Olaussen, Sep 12, 2004
  4. Miha Pihler

    Miha Pihler Guest

    Revocation itself is immediate. Problem is that clients do cache CRL. There
    is no really good way to force my computer at home to download new CRL so
    that I don't trust certificate that you just revoked... This is one of many
    things you need to plan when you setup your CA server.

    If you require immediate CRL updates, then you need to look at an OCSP
    (Online Certificate Status Protocol) solutions.

    Miha Pihler, Sep 12, 2004
  5. Miha Pihler

    Guest Guest


    Is there a way to revoke a certificate and that the revokation will be

    Guest, Sep 12, 2004
  6. microsoft.public.windows.server.security news group, Miha Pihler <mihap-
    > says...
    As does Windows 2000 if you've applied the MS04-11 patch.
    Paul Adare - MVP - Microsoft Virtual PC, Sep 12, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.