0

We use code signing certificates, that we distribute through an autoenrollment group policy. These certificates were used to sign excel macros and are issued by an internal CA.

Now, when try to revoke one of these certificates, they were listed in the certificate revocation list.

So far so good.

Problem is, that the code signed documents remain trustworthy. I assume the certificate chain is not verified "online" but in a local cache.

I've tried to set the GPO "Certificate Path Validation Settings" -- "Revocation" and selected the "Define these policy settings" check box.

Can somebody clarify how (long) revocation entries are stored on client machine? Our CA stores and publishes its CRL. Is it possible to force the clients to immediately check against this list each time an MS office application opens a signed document?

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
rumpi
  • 1
  • 1

1 Answers1

3

Windows clients extensively use revocation checking (for both, CRL and OCSP). Once CRL for specified issuer or OCSP for specified certificate is retrieved, it is cached and no new queries are sent until cached information is expired.

For CRLs, they are cached up to NextUpdate value in CRL. For OCSP responses it is similar, up to nextUpdate value in SingleResponse structure which is often set to NextUpdate field of referenced CRL.

Windows client on CRL includes some advanced features, like polling. Periodically, Windows client polls CDP URL to check if new revocation information is available (through E-Tag) and prefetch it if newer information is available.

Certificate revocation is not and never was an immediate action, it takes some reasonable time to get updated on clients.

Crypt32
  • 6,639
  • 1
  • 15
  • 33