Configuring Certificate Revocation

Applies To: Windows Server 2008 R2, Windows Server 2012

Every certificate is issued with a specific validity period. Revoking a certificate invalidates it as a trusted security credential before its original validity period expires. There are a number of reasons why a certificate can become untrustworthy as a security credential before its scheduled expiration. Examples include:

  • Compromise, or suspected compromise, of the certificate subject's private key.

  • Compromise, or suspected compromise, of a certification authority's (CA) private key.

  • Discovery that a certificate was obtained fraudulently.

  • Change in the status of the certificate subject as a trusted entity.

  • Change in the name of the certificate subject.

It is not always possible to contact a CA or other trusted server for information about the validity of a certificate. To effectively support certificate status checking, a client must be able to access revocation data to determine whether the certificate is valid or has been revoked. To support a variety of scenarios, Active Directory Certificate Services (AD CS) supports industry-standard methods of certificate revocation. These include publication of certificate revocation lists (CRLs) and delta CRLs, which can be made available to clients from a variety of locations, including Active Directory Domain Services (AD DS), Web servers, and network file shares.

Note

In Windows Server 2008 R2 and Windows Server 2008, an Online Responder can be used to make CRL data more readily accessible in complex network environments. An Online Responder uses the certificate revocation data from CRLs and processes certificate status requests from clients individually.

CRLs are complete, digitally signed lists of certificates that have been revoked. These lists are published periodically and can be retrieved and cached by clients (based on the configured lifetime of the CRL) and used to verify a certificate's revocation status.

Because CRLs can become large, depending on the number of certificates issued and revoked by a CA, you can also publish smaller, interim CRLs called delta CRLs. Delta CRLs contain only the certificates revoked since the last regular CRL was published. This allows clients to retrieve the smaller delta CRL and more quickly build a complete list of revoked certificates. The use of delta CRLs also allows revocation data to be published more frequently because the size of the delta CRL usually does not require as much time to transfer as a full CRL.

Additional references