Certificate Revocation Checking in Windows Vista and Windows Server 2008

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Windows Vista® and Windows Server® 2008 introduce changes in revocation checking behavior. These changes include an Online Certificate Status Protocol (OCSP) client and an OCSP responder, servers configured to enable clients to pre-fetch revocation information, and OCSP settings managed through Group Policy.

This document provides details to system administrators how to modify revocation configuration to take advantage of these changes to provide more timely revocation information to clients. Topics in this white paper include:

Revocation terminology

The following terms and acronyms are used throughout this document.

  • Abstract Syntax Notation One (ASN.1). A standard to describe messages that can be sent or received in a network. ASN.1 specifies the rules for describing the structure of objects.

  • Authority information access . A certificate extension that contains URLs where the issuing CA certificate can be retrieved. The authority information access extension can contain HTTP or Lightweight Directory Access Protocol (LDAP) URLs. If OCSP is implemented, the authority information access extension will also include URLs for communicating with OCSP responders.

  • Certificate revocation list (CRL). A digitally signed list issued by a CA that contains certificates that are revoked. The list includes the serial number of the certificate, the date that the certificate was revoked, and the reason for revocation. Applications can perform CRL checking to determine a presented certificate's revocation status. CRLs can also be referred to as base CRLs to differentiate them from delta CRLs.

  • Certification authority (CA). An entity that issues certificates that assert information about a specific user, computer, or organization requesting the certificate under a set of certificate issuance policies.

  • CryptoAPI. A set of Windows APIs that provide low level cryptographic primitives and higher level cryptographic technologies, such as X.509 certificate processing, management, and cryptographic messaging.

  • Cryptography Next Generation (CNG). A replacement of the CryptoAPI that enables support for Suite B cryptographic algorithms such as elliptic curve cryptography (ECC).

  • CRL distribution point. A certificate extension that indicates where the CRL for a CA can be retrieved. This extension can contain multiple HTTP or LDAP URLs for the retrieval of the CRL.

  • Delta CRL. A type of CRL that contains the list of certificates revoked since the last base CRL was published. Delta CRLs are frequently used in environments where many certificates are revoked to optimize bandwidth usage.

  • ETag. The entity tag header is a value used for comparing two or more entities from the same requested HTTP URL. The origin server must guarantee the ETag is unique across all versions of an object associated with a particular URL.

  • Issuing Distribution Point (IDP). The IDP extension is a CRL extension that lets relying parties determine the necessary scope of a CRL when a CA certificate is renewed or re-keyed (renewed with new key). The IDP indicates whether the CRL covers revocation for end-entity certificates only, CA certificates only, attribute certificates only, or a limited set of reason codes.

  • Max-age. The Max-age header contains the time in seconds that a HTTP proxy can field requests without revalidating with the origin server.

  • Online Certificate Status Protocol (OCSP). A protocol that enables high-performance validation of certificate status.

  • Public Key Cryptography for Initial Authentication in Kerberos (PKINIT). A protocol that extends the Kerberos protocol by using public key cryptography in the initial authentication exchange to enable user logon with a smart card.

  • Public key infrastructure (PKI). A PKI consists of one or more CAs that issue X.509 certificates, resources that provide revocation and validation information for certificates, and the certificates that are issued to security entities on the network.

  • Transport Layer Security (TLS). A protocol that provides data confidentiality and integrity of network communications between a client and a server. TLS is comprised of two layers: the TLS Handshake Protocol, which enables a server and client to authenticate one another, negotiate an encryption algorithm and securely exchange cryptographic keys, and the TLS Record Protocol which uses symmetric data encryption to provide data confidentiality.