0

let's say I have Root CA -> Sub CA 1 -> Sub CA 2 -> leaf certificate. I need to check revocation status of leaf certificate by getting all CRLs that provided by Sub CA 2. If leaf cert is in CRL, means that it's no longer valid. Everything is still fine, but how about if Sub CA 2 expired itself or get revoked by Sub CA 1 (maybe even Sub CA 1 expired itself or is revoked by Root CA)? Do CRLs from Sub CA 2 still valid? Do I need to check revocation status recursively from the leaf to the root certificate?

SoT
  • 898
  • 1
  • 15
  • 36

1 Answers1

1

Yes, you have to validate every certificate against issuer CRL, except root certificate. Root certificate is not checked for revocation.

But you don't need to do this (write code) yourself. You should delegate this task to cryptographic libraries that implement certificate validation logic.

Crypt32
  • 12,850
  • 2
  • 41
  • 70
  • Hi @Crypt32, let's I summarize. I want to check revocation status of leaf cert, then I need to get CRLs from Sub CA 2 to check whether Sub CA 2 is still valid, then I need to get CRLs from Sub CA 1 to check whether Sub CA 1 is still valid. Means that If I want to check revocation status of a certificate, I need to check revocation status of parent, then of parent, then of parent,... until the Root CA, is this what you mean? – SoT Jan 08 '21 at 07:31
  • Yes, you understand it correctly. If any parent CA is revoked, then all certificates down the road (under revoked CA) are implicitly revoked. – Crypt32 Jan 08 '21 at 07:32
  • How about CRL? If the issuer get expired or revoked, is its CRL still valid? – SoT Jan 08 '21 at 13:47
  • If issuer is expired, then CRL is expired too (though, in certain scenarios it is not the case). What is your question here? If you want to get revocation checking details, then I strongly recommend to check RFC 5280 for more details. If you want something else, then ask your direct question. – Crypt32 Jan 08 '21 at 13:51
  • Sorry my question is not clear. I'm working with pdf digital signature, and I need to check from CRL whether the certificate that was used to sign the pdf was revoked (at the signing time, for example 3 days ago) or not. If this cert is revoked before signing (for example it get revoked 5 days ago), surely the signature is invalid. But there is a case that, the certificate was revoked and the issuer of CRL also be revoked (maybe before it sign the CRL, or maybe after). In this case I can not decide certificate is revoked or not, since the CRL get revoked. Do you get my point? – SoT Jan 08 '21 at 14:32
  • Yes, I got it. You should use stand library (or framework APIs) to check this. Don't implement your own validation logic. – Crypt32 Jan 08 '21 at 14:44