Answer the question
In order to leave comments, you need to log in
A
A
Anatoliy Mikhailov2014-10-14 11:39:24
Anatoliy Mikhailov, 2014-10-14 11:39:24
Is a certificate revocation list (CRL) applied automatically in MS Windows operating systems?
There is a WCF service that signs and verifies requests with an electronic signature. Everything works fine. But here there was a question on automatic processing of CRL.
In the root certificate there is a url from where you can take the CRL
2 answer(s)
@yamaoto
@RazorBlade
V
Vyacheslav Smirnov, 2014-10-19 @yamaoto
Yes. The CRL file is always requested, except for the following cases:
- The CRL is already stored in the cache and less time has passed since the last update than specified in the file lifetime;
- The CRL is stored in the revocation list store (local revocation list), and is also not stale yet.
Show cache contents:
But OCSP requests may not be executed due to Windows settings. Internet Explorer has an option to check the validity of the publisher's certificate (something like that). And if it is indicated there that it is not necessary to check, then OCSP requests will not be sent during automatic checking. But, of course, you can send an OCSP request explicitly.
OCSP responses are also cached.
You can clear the cache in the same way as the CRL cache:certutil -urlcache ocsp delete
R
RazorBlade, 2014-10-15 @RazorBlade
The question is not very clear. At each check of the certificate chain, the client, in this case, Windows OS, downloads the revocation list from the specified URL and checks if there is a checked certificate, if not, then everything is fine, if there is, then the certificate will not be valid.
Similar questions
A
D
danilstep2022-01-16 22:43:59
After switching to windows 7, I can't find drivers for my sound card?
0Reply
I
L
S
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question