Re: Certificate revokation

From: Lars Olaussen (Isolauss_at_hotmail.com)
Date: 09/12/04


Date: Sun, 12 Sep 2004 11:53:15 +0200


<Shay> wrote...
>
> Is there a way to revoke a certificate and that the revokation
> will be immediately?

Shay,

The revocation will be in effect when you issue the first CRL after
revocating the certificate.

But, as Miha pointed out, the old CRL will probably have a lifetime
that extends past the newly issued CRL, and for all users, client
computers and servers who have cached the old CRL, the publication
of the new revocation will not be noticed untill the old CRL has
expired.

So, if you by "revocation will be immediately" mean that the
certificate will be rejected immediately, you will have to use a
OCSP (Online Certificate Status Protocol) service (not provided by
MS).

As Miha pointed out, and I have pointed out in previous discussions
regarding the use of CRLs, you will have to use other means to
prevent the revoked user access. Certificates are used for
authentication. For authorization, you probably have Active
Directory.

If you still feel that revocation is the only way to achieve your
goal, the you could reduce the CRL lifetime and publication
interval. Just remember to take network propagation (domain
replication) in account, so a live CRL would always be available.

For an issuing CA, I would recommend a lifetime of two hours, with
one hour publication interval. Even with three domain replication
intervals (45mins) you would have more than one hour lifetime left
of the CRL. But it also means that you would still have up to two
hours in which your revoked certificate still can be used.

Regards,
Lars Olaussen
Isolauss@hotmail.com



Relevant Pages

  • Re: Smart Card Logon Failure with Windows 2003 Server (works with Windows 2000 server)
    ... certificate could not be validated because the revocation ... The error message from the event log on the CDC is in the ... revocation function was unable to check revocation because ... >> the CRL is downloaded. ...
    (microsoft.public.win2000.security)
  • Re: Certificate revokation
    ... Is there a way to revoke a certificate and that the revokation will be ... > delta CRL that can be published every few hours with only the changes ... As long as it is valid clients can cache it and use ...
    (microsoft.public.windows.server.security)
  • Re: The better option would be to build an X509Chain object and use the various
    ... /// Get Revocation Status of Client Certificate by using CRL. ... how to see if a certificate is revoked in a CRL (revocation list)? ...
    (microsoft.public.dotnet.security)
  • Re: Certificate Question
    ... Client can use any cached CRL as long as it is valid. ... The other thing you can do is design your Base and Delta CRL ... Once the client gets new CRL it will not allow use of that certificate ... > I need to revoke a certificate because a user has left the company. ...
    (microsoft.public.windows.server.security)
  • Re: Problems with CRL after renewal
    ... recognize a CRL as being authoritative for a given CA ... > Before renewal I could revoke any issued certificate and function> CertGetCertificateChain shows that it is revoked. ... > MSDN and support the CA Version extension and Authority Key Id extension. ...
    (microsoft.public.platformsdk.security)