CRL-Based Revocation Validation

CRL-Based testing

This section documents the testing performed for validation of certificate revocations using Certificate Revocation Lists (CRLs), without requiring an Online Certificate Status Protocol (OCSP) Online Responder.

This test does not require a configured OCSP Online Responder. It is intended for environments where OCSP support is not available or the Online Responder is not installed.

Prerequisites

The testing in this section was conducted in an AD CS environment configured as follows:

  • AD CS is installed, and a Certification Authority (CA) has been set up and initialized.

  • CA services are running, and not stopped.

  • An nShield HSM is set up and connected to Security World software.

Procedures

Certificate Enrollment

You can skip this step if your environment contains a valid test certificate signed by your Certification Authority.

  1. Launch certmgr.msc.

  2. Right-click the folder labeled Personal and select All Tasks > Request New Certificate.

  3. Complete the Wizard:

    1. Select Next in the first two windows.

    2. Select the template that you created, then select Enroll.
      The Key Storage Provider window appears.

      If a CA installed on Windows Server Core is managed remotely, the next steps may not appear. A new key is still created to be associated with the certificate. If the STATUS: Succeeded message appears, the procedure is complete.

    3. Select Next.

    4. Insert the administrator cards and enter the passphrase or PIN when prompted.

    5. Create the new key to be associated with the certificate.

    6. Select the type of protection you want to use, then select Next.

    7. Depending on the key protection method, enter the required credentials.
      The Certificate Installation Results window should show STATUS: Succeeded.

    8. Select Finish.

      If passphrase authentication is enabled, a prompt for passphrase appears.

  4. Verify that the certificate is enrolled.

Certificate Verification

  1. Launch the Certification Authority application, certsrv.msc, and find your Certificate within the Issued Certificates folder`.

  2. Double-click your certificate to open its information, then select the Details tab.

  3. Ensure the following fields are correct and match your configuration specifications:

    • Issuer: Ensure your CA’s name is listed.

    • Signature Algorithm: Ensure this certificate is using the correct signing algorithm.

    • Serial Number: Ensure this field exists; note the serial number for future reference.

Export the Certificate

  1. On the certificate Details tab, select Copy to File.

  2. Complete the Certificate Export Wizard:

    • On the Welcome page, select Next.

    • On the Export File Format page, select Base-64 encoded X.509 (.cer), then select Next.

    • Input a name for the file, then select Next.

    • On the last page, note the location of the exported file and select Finish. Select OK in the pop-up and confirm that the export was successful.

Revoke the Certificate

When revoking certificates, it is recommended that you use a test certificate first, for trial purposes. Complete the above steps to generate a trial certificate for revocation.

  1. Launch the Certification Authority application, certsrv.msc, and find your certificate in the Issued Certificates folder`.

  2. Right-click your certificate and select All Tasks > Revoke Certificate.

  3. The Certificate Revocation window appears, prompting you for a valid Reason Code. Select a reason, or Unspecified, and then select Yes to revoke the certificate.

  4. Close and reopen the Certification Authority application. You should now see your certificate under the Revoked Certificates folder`.

Publish the new CRL

Using the Certification Authority GUI:

  1. Launch certsrv.msc, if it is not already open.

  2. Right-click the Revoked Certificates folder and select All Tasks > Publish to publish a new CRL.

  3. When the Publish CRL window appears, select New CRL and then OK to finish.

Using the CLI:

  1. Publish a new CRL:

    > certutil -crl

  2. (Optional) Force the new CRL to be used:

    > certutil -setreg chain\ChainCacheResyncFiletime @now

CRL Verification

  1. Using the CLI, navigate to the location of your exported certificate. Run the following command and replace testcert.cer with your exported certificate’s full file name:

    > certutil -verify -urlfetch .\testcert.cer

  2. The expected result is below. The last few lines show that the certificate was properly revoked and the CertUtil command completed without issue.

    > certutil -verify -urlfetch .\testcert.cer
Issuer:
CN=interop-ADCSOCSPWINS25-CA
DC=interop
DC=local
Name Hash(sha1): ...
Name Hash(md5): ...
Subject:
.
.
.
The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)
------------------------------------
Certificate is REVOKED
Leaf certificate is REVOKED (Reason=0)
CertUtil: -verify command completed successfully.