I'm trying create a validation for server certificates and one of the things I need to do is to check if the certificate is revoked, but the server certificates from a specific server seems to not have a CRL URL which I would use to retrieve the CRL to check. Is this supposed to be possible? In the case of no CRL URLs should I just consider the certificate not revoked or stale?
Asked
Active
Viewed 376 times
1 Answers
2
If the certificate is self-signed (i.e. subject matches issuer), then it is ok and expected.
If the certificate is not self-signed, then it is still possible, though highly NOT recommended and against practices. You may try to look if they provide OCSP (On-line Certificate Status Protocol) URLs in Authority Information Access extension. If no OCSP URL is presented, then CA is badly operated.
In the case of no CRL URLs should I just consider the certificate not revoked or stale?
it depends. If it is self-signed certificate, then you skip revocation checking process and consider the cert ok (if certificate passes all other checks). If it is non self-signed, then it depends on an application. If it is regular TLS certificate, then it is ok to bypass offline revocation. If it is client authentication or code signing certificate, then it may be reasonable to reject the certificate.
Crypt32
- 6,639
- 1
- 15
- 33