I have a CA and an Active Directory + ADFS instances set up on a Windows Server 2016 machine. I issued a client certificate for one of the users (for smart card logon) and then revoked it. However, I'm still able to log in via the revoked certificate.
When trying to debug this, I see that the revoked cert doesn't appear in the CRL. Should this be configured somehow, or is it some kind of caching?
Some data:
- In certsrv, the
Revoked Certificatessection shows the certificate I revoked, with the Revocation Reason =Unspecified. - certutil says "Leaf certificate revocation check passed". Full command:
certutil -f –urlfetch -verify C:\Path\To\My\Revoked\Cert.cer - In certsrv in the CA properties, the "Extensions" tab does show multiple CRL distribution points; I haven't changed these settings.
- When opening the .crl files in
C:\Windows\system32\CertSrv\CertEnroll\, both of them are empty.
