Troubleshooting: Certificate Revocation Lists

The certificate revocation list (CRL) is a list of certificates that have been revoked, generally hosted by a CA directly or by a PKI provider. When a certificate is revoked by a CA, it will get automatically added to the CRL. Whenever a certificate's validity is being verified, a check will be performed against the CRL specified within the certificate to ensure that it has not been revoked. Generally, CRLs will only be valid for several hours, and so updated versions will be continually updated and republished. However, this process does require that any client applications trying to validate a certificate must be able to connect to the certificate's CRL directly. If this connection fails, it will be assumed that the certificate is invalid.

The CRL of a certificate can be identified from the "Details" section when viewing the certificate, as shown below. Under the "CRL Distribution Points" field, there will be a listing of all available CRL endpoints for that certificate. If multiple are listed, then only one of them needs to be available for successful validation. A quick check to confirm the availability/connectivity of the CRL is to simply try to connect to this URL from a browser on the same computer trying to initiate the connection. If the browser receives an HTTP 404 or some other error, then there is likely a connectivity issue with the CRL. Generally, the browser will display the contents of the CRL directly, or else attempt to download the file.

 image001.png

One of the best places to identify CRL errors are in the CAPI2 logs of the server. CAPI2 is the Microsoft Cryptographic API, and these logs contain most events involved in the validation of certificates by the computer. These logs can be found in the system's Event Viewer program, by navigating to Applications and Service Logs -> Microsoft -> Windows -> CAPI2 -> Operational, as shown below. If this is your first time viewing these logs, you may need to actually enable them from the 'Actions' pane on the right side of the window. Simply select the option called Enable Log. From then on, any events using the CryptoAPI will be logged here. Due to the sheer volume of these logs over time, it is recommended to disable the logging when you have completed troubleshooting or identified the error.

 image002.png

When analyzing CAPI2 logs, you must confirm the exact time stamp of an event occurring. When troubleshooting a failing connection, simply mark the exact time a connection is attempted and view the CAPI2 logs at that time frame. An event where the CRL check fails will look similar to that below.

 image003.png

Select the Verify Revocation entry, and in the pane below, change the view to Details. This will show you information used to determine the specific certificate that is failing, as well as the exact error that is being experienced at the bottom of this section. The most common CRL error is

The revocation function was unable to check revocation because the revocation server was offline.

This error indicates that the computer was performing a validity check on the certificate using its specified CRL, but it was unable to connect to the CRL endpoint. This can occur if the CRL actually is offline, or if there is a networking issue resulting in the client computer being unable to reach the CRL distribution point.

Have more questions? Submit a request

0 Comments

Article is closed for comments.