KnowledgeBase Archive

An Archive of Early Microsoft KnowledgeBase Articles

View on GitHub

Q289749: Certificate Revocation Lists (CRL) and IIS 5.0: Common Questions

Article: Q289749
Product(s): Internet Information Server
Version(s): 5.0
Operating System(s): 
Keyword(s): kbfaq
Last Modified: 15-MAR-2001

-------------------------------------------------------------------------------
The information in this article applies to:

- Microsoft Internet Information Services version 5.0 
-------------------------------------------------------------------------------

SUMMARY
=======

This article has some of the frequently asked questions regarding Certificate
Revocation Lists (CRL) and Internet Information Services (IIS) 5.0.

MORE INFORMATION
================

Q.: What is a Certificate Revocation List (CRL) and a CRL Distribution Point
(CDP)?

A.: A CRL is a file that contains a list of revoked certificates, their serial
numbers, and their revocation date. A CRL file also usually contain the name of
the issuer of the CRL, effective date and the next update date. A CDP is the
location from which you can download the latest CRL and is usually listed as
"CRL Distribution Points" in the details of the certificate. It is common to
list multiple CDP's, using multiple access methods, to insure that applications
(that is, browsers, Web servers) are always able to obtain the latest CRL.

Example CDPs

[1]CRL Distribution Point (Note: This CDP is accessed via the LDAP protocol)
    Distribution Point Name:
         Full Name:
              URL=ldap:///CN=SecTestCA1,CN=SECTESTCA1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=rte,DC=microsoft,DC=com?certificateRevocationList?base?objectclass=cRLDistributionPoint

[2]CRL Distribution Point (Note: This CDP is accessed via the http protocol)
    Distribution Point Name:
         Full Name:
              URL=http://sectestca1.rte.microsoft.com/CertEnroll/SecTestCA1.crl

[3]CRL Distribution Point (Note: This CDP is accessed via the file protocol)
    Distribution Point Name:
         Full Name:
              URL=file://\\sectestca1.rte.microsoft.com\CertEnroll\SecTestCA1.crl

Q.: When does IIS retrieve a CRL?

A.: Each CRL has an effective date (also called next update, or validity period).
IIS only retrieves a CRL when presented with a certificate for which it
currently does not have the associated CRL in its cache or if the cached CRL has
passed its effective date.

Q.: If the certificate contains several CRL Distribution Points does IIS retrieve
the CRL from each location?

A.: No. The first, or top, location is used. If unsuccessful then the next CRL
Distribution point is tried.

Q.: Are the contents of each CRL at each distribution point downloaded and
combined?

A.: No. Only one CRL is downloaded.

Q.: Are CRLs stored on the IIS computer?

A.: Yes. The current CRL is cached in the SYSTEM profile located at:

  \Documents and Settings\SYSTEM\Local Settings\Temporary Internet Files\

NOTE: The current CRL is always stored in the profile of the identity under which
IIS is running. By default, this is the "System" account.

Q.: How are CRLs identified (filename)?

A.: By a .crl file extension. For example, CRLfilename[1].crl.

NOTE: The actual filename is listed in the CRL's distribution point on the
certificate.

Q.: What happens if IIS 5.0 can not find one of the CRLs?

A.: By default, IIS 5.0 fails if the CRL of a certificate can not be accessed.
This is why there are multiple paths and protocols to the same CRL distribution
point. For example, http, LDAP, and File.

Q.: What error message is seen in the browser if an effective CRL can not be
obtained? Is the same error message displayed if the CRL is obtained and it
shows the certificate as revoked?

A.: Yes. This error message is presented in both scenarios:

  HTTP 403.13 Forbidden: Client certificate revoked The page requires a valid
  client certificate

Q.: We made sure that the CRL is unavailable and IIS does not appear to be
retrieving a new one or failing?

We revoked a certificate and republished the CRL and IIS still allows users to
browse the Web site using a revoked certificate. Why?

A.: Both of these questions revolve around the fact that IIS still uses a cached
CRL which has not passed it's effective date. For more information, refer to the
second question.

Q.: How do we force refreshing the cache on IIS so that it uses the very latest
CRL?

A.: Delete the CRL from the cache. Refer to the earlier answer for location of
where CRL is stored.

Q.: Can IIS perform "real time" CRL checking?

A.: No. IIS uses the CRL in the cache until it expires. The lowest validity
period for a CRL published by Microsoft Certificate Services is 1 hour. You can
delete the CRL from the cache to force the retrieval of a new CRL. However, the
new CRL still has the same validity period.

REFERENCES
==========

For more information, see the following Web address:

RFC: 2459

Internet RFC/STD/FYI/BCP Archives (http://www.faqs.org/rfcs/rfc2459.html)

Additional query words: CRL revocation

======================================================================
Keywords          :  kbfaq
Technology        : kbiisSearch kbiis500
Version           : :5.0
Issue type        : kbinfo

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 1986-2002.