-1

I have create Root CA and Server Certificate following didierstevens blog. My browsers still trusts the certificate even after revoking the server certificate. I was getting certificate revoked error message for my old CA and certificate. I followed same blog for creating new CA and cert but it is not working now.

I have hosted my test application in IIS 10.0.10586.0, my client browsers are Chrome 63.0.3239.132 and IE 11.1295.10586.0. I confirmed CRL file is accessible, certification revocation check is turned on in both the browsers. But still the CRL verification is not happening.

user3771120
  • 1
  • 1
  • Where's the self-signed certificate in all of this? You say you have a Root CA and a server certificate in your question, but the title states you're using self-signed. Can you view the content of the 'accessible' CRL (however you present it) and confirm that the revoked certificate serial number is listed? Did you use the same CommonName for both old and new? – garethTheRed Feb 27 '18 at 12:49
  • Did you also create a new CRL? What is the lifetime of the CRL? – Jenny D Feb 27 '18 at 13:30
  • Also, is the crlDistributionPoint extension in the end-entity certificate? – garethTheRed Feb 28 '18 at 07:45

1 Answers1

0

Certificate Revocation is a process that is handled by the browser/application that is handling the certificate in the first place. When it connects to the application and is presented the certiticate, it first checks the Common Name (or SAN) to make sure the name of the server matches the certificate. After that, it does some other checks (not relevant for this question) and eventually gets to the CRL check.

The CRL check requires that the application reach out to the listed server hosting the CRL file (or OCSP server) to validate if the certificate presented is still valid. This means that not only do you have to properly sign the CRL with the issuing certificate, you also have to host the CRL file in a way for the clients to access it. If the CRL isn't properly updated and signed, this would fail the CRL check in a way where the certificate is still valid.

Did you host the CRL in a location that is accessible to clients that would be checking the CRL in the first-place?

Andrew
  • 2,142
  • 2
  • 19
  • 25