Checking your CRL for revoked certificates

When implemting PKI infrastructure in ConfigMgr, it is really important that you have a certificate revocation list published and available for the end clients to check against.

If you have implemented a Cloud Management Gateway, then it is imperative that this is public facing, so that clients can check out in the wild.

When setting up a a CMG, you do have the option not to check the CRL, but you should ensure that your security team is happy with this compromise. You want to be ticking the box.

The CRL is updated at intervals, and can be published immediately after recovation of a certifcate.

You can force publish an update by running the following command on the Certificate Authority.

certutil -CRL

What exactly is a revoked certicate? Well they are different to an expired certificate, which has run it course of time. A revoked certificate has been taken before it’s time and removed from the CA because it is seen as non longer trustworthy or no longer required.

You can revoke a cert in your Certicate Authority by taking a look in the Issued Certicates section of the CA, right clicking and selecting All Tasks\Revoke Certificate.

You can then enter a Reason code and a time for revocation.

Revoked certs then appear in the Revoked Certificates folder.

So these revoked certificates will appear in the CRL at the next published updates and you can check against the CRL for revoked certs.

To do this, you can check the CDP (Certificate Distribution Point) location on a certificate. Open a certificate you want to check against and go to the Details tab and scroll down to the CRL Distribution Points.

Here you will see the URL of the web server hosting the CRL. You can copy out the full URL including the .crl file details.

If you paste the URL into a broswer, this will download the CRL file. You can’t crack this open in Notepad, but you can use certutil to check the details of any revoked certificates.

To do this, navigate to the folder you have downloaded the CRL file to and issue the command:

certutil -dump <filname.crl>

This will display the revoked certificates, along with serial number, reason and date of revocation.

If you are command line shy, then you can always right click the CRL and choose Open. In the Revocation List tab, you can see the revoked certs and hightlighting them will drill into the specifics for revocation in the Revocation entry window.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s