Reachable but expired CRL

Article
2015-01-09

Question

_{Friday, January 9, 2015 10:35 PM}

This is a simple question :-) but not about renewing CRL but what happens when a CRL is expired (reachable but expired) ?

Let's say i have a Enterprise ADCS server and also an UAG server with Direct Access clients.

If the CRL is expired will connectin still work, will clients still communicatie over SSL?

I read on blogs if a CRL cannot be reached clients will stop working but what if the CRL is reachable but expired, will this break client server SSL communication (in my case Direct Access) ?

All replies (5)

_{Saturday, January 10, 2015 6:15 AM ✅Answered | 1 vote}

Expired CRL means "Revocation Offline" error behavior is per-application. Each application define its own behavior. For example, continue with connection (for example, Internet Explorer, IPsec with default settings skip this error), or break connection (SSTP VPN, Direct Access), they will raise 0x80092013 error. In other words, there is no difference between unreachable CRL and expired/not yet valid CRL.

Vadims Podāns, aka PowerShell CryptoGuy
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell File Checksum Integrity Verifier tool.

_{Saturday, January 10, 2015 5:36 PM ✅Answered}

As Vadims pointed out, the exact behavior when a CRL is unreachable or expired is up to each application. In the case of Internet Explorer, by default it only performs "SOFT" CRL checking. Which means IF it can reach the CRL AND it contains the serial number of the host, it will display an error. If no CRL is available, it is expired or doesn't contain the host serial number then NO error message is displayed. That is the specific behavior of IE.

http://blogs.msdn.com/b/ieinternals/archive/2011/04/07/enabling-certificate-revocation-check-failure-warnings-in-internet-explorer.aspx

When dealing with CRLs, it best to assume that certificate authentication will fail if the CRL is inaccessible or has expired. Then design a methodology around ensuring that doesn't occur in your environment.

Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

_{Monday, January 12, 2015 2:27 PM ✅Answered}

Exactly! One of the first things I do prior to any migration is extend the CRL lifetime (if needed) and publish the CRL to ensure that clients will have valid information during the migration. Just keep in mind that the local HTTP website (if used) on the server may become unavailable at some state in the migration and if it is the sole or only HTTP CDP location, then HTTP dependent clients may be unable to retrieve CRL information.

_{Friday, January 9, 2015 11:36 PM | 1 vote}

[Puneet Singh] So clients don't reach out to get CRL each and every-time.So ideally speaking the moment the CRL which is in the Cache of Client expires it will go and download the new CRL and as soon as the new CRL gets downloaded it will stop Working.

certutil -urlcache crl delete

But there is a warning:

It may be necessary to restart the application or even the computer in order to flush the CRL cache in Windows .

Apparently this command and other variations of it clears just the disk cache, but CRLs may also be cached in memory, so a restart of some services might be required.

For Windows a better method is suggested, which should also clear CRLs cached in memory:

certutil -setreg chain\ChainCacheResyncFiletime @now

Puneet Singh

_{Monday, January 12, 2015 11:36 AM}

Thanks Vadims & Mark, marked as answered :-)
So then i will extend the CRL lifetime during migration, a notch higher.

Share via

Reachable but expired CRL

Question

All replies (5)

Additional resources