Certificate Revocation Lists (CRLs) and IIS 5.0 frequently asked questions (289749)


The information in this article applies to:

  • Microsoft Internet Information Services 5.0
This article was previously published under Q289749

INTRODUCTION

This article contains answers to some frequently asked questions (FAQ) about Certificate Revocation Lists (CRLs) and Microsoft Internet Information Services (IIS) 5.0.

MORE INFORMATION

Q1: What is a Certificate Revocation List (CRL), and what is a CRL Distribution Point (CDP)?

A1: A CRL is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. A CRL file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.

A CDP is the location where you can download the latest CRL. A CDP is typically listed in the CRL Distribution Points field of the Details tab of the certificate. It is common to list multiple CDPs that use different access methods to make sure that programs, such as Web browsers and Web servers, can always obtain the latest CRL.

The following are examples of CDP entries:
[1]CRL Distribution Point            
Distribution Point Name:
Full Name:
URL=ldap:///CN=SecTestCA1,CN=SECTESTCA1,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=rte,DC=microsoft,
DC=com?certificateRevocationList?base?objectclass=cRLDistributionPoint

[2]CRL Distribution Point            
Distribution Point Name:
Full Name:
URL=http://sectestca1.rte.microsoft.com/CertEnroll/SecTestCA1.crl

[3]CRL Distribution Point            
Distribution Point Name:
Full Name:
URL=file://\\sectestca1.rte.microsoft.com\CertEnroll\SecTestCA1.crl
Q2: When does IIS 5.0 retrieve a CRL?

A2: Each CRL has an effective date. The effective date is also referred to as the "next update" or the "validity period." IIS 5.0 retrieves a CRL only if one of the following conditions is true:
  • The CRL of the certificate is not contained in the IIS 5.0 cache.
  • The effective date of the CRL in the IIS 5.0 cache has passed.
Q3: If the certificate contains several CRL Distribution Points, does IIS 5.0 retrieve the CRL from each location?

A3: No. Only the first, or top, location is used. If unsuccessful, IIS 5.0 tries the next CRL distribution point.

Q4: Are the contents of each CRL at each CRL distribution point downloaded and combined?

A4: No. Only one CRL is downloaded.

Q5: Are CRLs stored on the computer that is running IIS 5.0?

A5: Yes. However, any consequences that result from the manipulation of the CRL are not supported by Microsoft Product Support Services.Q6: How are CRLs identified? That is, what extension do CRL files use?

A6: CRLs use a .crl extension. For example, CRLFileName[1].crl.

Note The FileName is listed in the CRL distribution point on the certificate.

Q7: What occurs if IIS 5.0 cannot find one of the CRLs?

A7: By default, IIS 5.0 fails if the CRL of a certificate cannot be accessed. Therefore, multiple paths and protocols are used to the same CRL distribution point. For example, the following protocols and paths are used in the URL of a CRL distribution point:
  • HTTP
  • Lightweight Directory Access Protocol (LDAP)
  • File
Q8: What error message appears in the Web browser if an effective CRL cannot be obtained? Is the same error message displayed if the CRL is obtained and if the certificate is revoked?

A8: Yes, you receive the same error message in both scenarios. You receive the following error message:
HTTP 403.13 Forbidden: Client certificate revoked

The page requires a valid client certificate

Q9: You experience one of the following symptoms:
  • You make the CRL unavailable. However, IIS does not retrieve a new CRL and does not appear to fail.
  • You revoke a certificate and republish the CRL. However, IIS 5.0 still lets users locate a Web site by using the revoked certificate.
A9: Both these scenarios are related to the same issue. IIS 5.0 still uses a cached CRL that has not passed its effective date. For more information, see "Q2: When does IIS 5.0 retrieve a CRL?".

Q10: Is it possible to force the cached CRL to update?

A10: You cannot force the cached CRL to update. The CRL has an expiration date. When the CR expires, the CRL is renewed.

All certificates are stored in the cache when the certificates are selected from a store or from a URL. The only difference is the location where the cached certificates are stored. Certificates can be stored in the following locations:
  • Memory

    All retrieved certificates are cached in memory.
  • CA Store

    All certificates that are retrieved from any WinInet-supported URLs, such as HTTP, FTP, LDAP, and FILE by using the Authority Information Access (AIA) extension are cached in the CA store.
  • Local file system

    If the retrieval URL is ldap://, ftp://, or http://, the certificate or CRL is also cached by WinInet in the local file system. The cache is stored in the Documents and Settings\UserName\Local Settings\Temporary Internet Files folder.
For additional information about certificates and about caching, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/winxppro/support/tshtcrl.mspx

MORE INFORMATION

Q12: Can IIS 5.0 perform "real time" CRL checking?

A12: No. IIS 5.0 uses the CRL in the cache until the CRL expires. The lowest validity period for a CRL that is published by Microsoft Certificate Services is one hour. You can delete the CRL from the cache to force the retrieval of a new CRL. However, the new CRL still has the same validity period.

REFERENCES

For more information about Internet X.509 Public Key Infrastructure Certificate and CRL profile, visit the following Internet Engineering Task Force (IETF) Web site:

Request for Comments (RFC) 2459

http://www.ietf.org/rfc/rfc2459.txt?number=2459

Modification Type:MajorLast Reviewed:3/25/2005
Keywords:kbtshoot kbinfo KB289749 kbAudITPRO kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.