There are two types of revocation lists:
- Base CRL: a complete list of certificate serial numbers revoked by the CA.
- Delta CRL: a list of certificates revoked since the last base CRL publication.
Applications will verify certificates presented to them by consulting the CRL and reject any certificates on this list.
We can revoke a certifcate in the Certificate Authority MMC:
Reasons for certificate revocation
A certificate may be revoked for a number of reasons. Here are some examples.
Loss of the private key (by theft or negligence)
Compromise of the issuing CA
Retired users and devices
Replacement of old certificates with new certificates
We may need or want to replace old certificates with new ones. In this case, it is best practice to revoke the old certificates.
When we revoke a certificate, we can (and should) indicate the reason for which we are revoking the certificate:
Note: it is better to revoke certificates based on a policy.
Who can revoke a certificate?
Users granted the "Issue and Manage Certificates" permission. By default, administrators of the CA have this right. Domain and Enterprise administrators posess it as well.
The CRL is signed by the CA that publishes it.
Note: we can obtain redundancy if we configure CA clustering which is an entirely different subject.
The Delta CRL is almost never necessary.
Clients cache the CRL locally
certutil -setreg CA\CRLOverlapUnits 2
certutil -setreg CA\CRLOverlapPeriod "Days"
OCSP (Online Certificate Status Protocol)
With this protocol, a client can validate single certificates as needed, via a web service, instead of downloading a CRL with the entire list of revoked certificates (most of which may not interest the client). This is an optional function and I will not present it in this blog post.