Join Log in
Score:0
Max avatar Server

Revoked certificate not getting into Microsoft CA CRL

cn flag
Max

I have a CA and an Active Directory + ADFS instances set up on a Windows Server 2016 machine. I issued a client certificate for one of the users (for smart card logon) and then revoked it. However, I'm still able to log in via the revoked certificate.

When trying to debug this, I see that the revoked cert doesn't appear in the CRL. Should this be configured somehow, or is it some kind of caching?

Some data:

  • In certsrv, the Revoked Certificates section shows the certificate I revoked, with the Revocation Reason = Unspecified.
  • certutil says "Leaf certificate revocation check passed". Full command: certutil -f –urlfetch -verify C:\Path\To\My\Revoked\Cert.cer
  • In certsrv in the CA properties, the "Extensions" tab does show multiple CRL distribution points; I haven't changed these settings.
  • When opening the .crl files in C:\Windows\system32\CertSrv\CertEnroll\, both of them are empty.
95
0 + 0
crl
cn flag
Greg Askew
`the "Extensions" tab does show multiple CRL distribution points` Do those have the revoked certificate? That's where I would start. There's typically an http endpoint and an LDAP endpoint.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.