1

I am adding smart card login to our domain and have got almost everything working properly except that when I revoke the certificate on our Enterprise CA I can still log into computers. I have checked that I can download the CRL using the link in the certificate and see that the cert SN is in the revocation list. I cleared the local CRL cache (using certutil -urlcache crl delete) on the client machine, and have now tested again 2 days later - still works

Can someone give some guidance on where in the logon process the actual smartcard certificate revocation list is checked? Looking at this document https://learn.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration#smart-card-sign-in-flow-in-windows it is just not clear to me who does what as it never says "check smartcard certificate CRL"

Any help would be greatly appreciated

Andy Haer
  • 11
  • 1
  • When I looked at the properties for the CA Revoked Certificates group (the CRL) I found that the CRL Publication Interval was 5 years and publish delta CRLs was unchecked. I change CRL publication to 1 week and enabled deltas at 1 hour. Will see if that helps – Andy Haer Jul 21 '23 at 20:40
  • Have you performed a packet capture to confirm that the endpoint is checking the CRL tcp/80? FYI there is a setting to control that. Typically used in a recovery scenario if CRL is inaccessible. – Greg Askew Jul 21 '23 at 20:43

0 Answers0