4

I created a self-signed root CA cert for internal test use, using openssl. This has been successfully installed and used as a trusted CA on a number of machines and platforms (Windows, Linux, various Java/.NET/browser clients) without issue.

One user (running WinXP SP3 / IE8) receives the following error when trying to import the CA cert into their trusted root store: "This certificate was revoked by its certification authority"

The CA does reference a CRL which I created myself, but it is empty. The user can manually access and view the CRL and confirm it is empty. CRL checking is disabled in IE, but I guess this setting may not apply when populating the cert store.

What could explain this? Is there any way that a revoked cert from a different CA but with the same fingerprint could cause my CA cert to be flagged as revoked?

Kieran Tully
  • 152
  • 1
  • 8
  • The fingerprint is unique to the cert, so that wouldn't be the case, unless you were extremely unlucky. – dunxd Dec 07 '11 at 17:05
  • When you say the CRL is empty, what do you mean? Do you mean there's a valid, unexpired CRL available that doesn't expire this (or any other) certificate? Or do you mean there's literally no data? – David Schwartz Sep 22 '16 at 03:23
  • The former, a valid CRL which multiple tools could parse, but it expired no certificates. – Kieran Tully Jul 10 '17 at 22:14

2 Answers2

2

This is what happens when their client can't access your CRL.

See http://support.microsoft.com/kb/289749:

Q8: What error message appears in the Web browser if an effective CRL cannot be obtained? Is the same error message displayed if the CRL is obtained and if the certificate is revoked?

A8: Yes, you receive the same error message in both scenarios. You receive the following error message:

HTTP 403.13 Forbidden: Client
certificate revoked 

The page requires a valid client certificate
dunxd
  • 9,632
  • 22
  • 81
  • 118
  • As I said: "The user can manually access and view the CRL", i.e. IE can access the CRL URL. Other WinXP machines on the same LAN can install the cert without this issue occurring. The "client" in this case is the part of Windows that checks certs before installing them in the local cert store. – Kieran Tully Dec 07 '11 at 13:25
  • 1
    Microsoft have a lengthy white paper on troubleshooting certificates - see http://technet.microsoft.com/en-us/library/cc700843.aspx – dunxd Dec 07 '11 at 17:02
  • 1
    If you are only seeing this on a single machine, can you identify anything different about that machine? E.g. group policy applied. Have you tried creating a new cert and seeing whether the same problem exists on this computer or others? – dunxd Dec 07 '11 at 17:04
2

Although the thread is very old, I have the answer. Self-signed certificate can be revoked on Windows when it is placed in the Untrusted Certificates store.

About CRL: even if presented, Microsoft CryptoAPI client by default ignores CDP in a self-signed certificate and checks only non-root certificates for revocation.

Crypt32
  • 6,639
  • 1
  • 15
  • 33
  • I no longer have access to the machine to check, but this is a good suggestion. If the machine's user imported the certificate into the Untrusted store the first time, than further attempts by me or them to import it into the Trusted store could well fail with the error we saw. – Kieran Tully Jul 10 '17 at 22:15
  • You can check it on any other machine. Place(or temporarily copy) any root cert to Untrusted Certificates store and see what happens. – Crypt32 Jul 11 '17 at 04:22