Managing Certificate Revocation Lists (CRLs) in Windows


Publish CRL to LDAP store:

C:\> certutil -dspublish .\IssuingCA-DC1.crl serverName

Validate certificate's Authority Information Access (AIA), Certificate Revocation List (CRL), Online Certificate Status Protocol (OCSP) status:

C:\>certutil -URL certname.cer

This command launches below UI that can be used to check the following:

Note: the certificate in question is revoked

Authority Information Access (AIA) - this extension specify location where CA certificates are located ( used for building certification path):




CRL accessibility based on CRL Distribution Point (CDP) extension:




Revocation status using OCSP:


OCSP URL is specified in AIA extension:


Download CRL (creates file "Blob0_1_0.crl" in working directory):

C:\> certutil-split  -URL http://dc1.kp.local/pki/IssuingCA-DC1.crl

View CRL publication related registry entries:

C:\> certutil -getreg ca\CRLPublicationURLs

Verify revocation and validity of a specific certificate:

C:\> certutil -f -urlfetch -verify .\compcert.cer


View CRL cached by CryptoAPI:

Windows CryptoAPI caches CRL for performance reasons.

C:\> certutil -urlcache CRL

Update local CRL cache / View CRL:

Command below forces update of CRL cache.



No comments:

Post a Comment