Publish CRL to LDAP
store:
C:\> certutil
-dspublish .\IssuingCA-DC1.crl serverName
Validate certificate's Authority Information Access (AIA), Certificate Revocation List (CRL), Online Certificate Status Protocol (OCSP) status:
C:\>certutil
-URL certname.cer
This command launches below UI that can be used to check the following:
Note: the certificate in question is revoked
Authority Information Access (AIA) - this extension specify location where CA certificates are located ( used for building certification path):
CRL accessibility based on CRL Distribution Point (CDP) extension:
Revocation status using OCSP:
OCSP URL is specified in AIA extension:
Download CRL (creates file "Blob0_1_0.crl" in working directory):
C:\>
certutil-split -URL http://dc1.kp.local/pki/IssuingCA-DC1.crl
View CRL publication
related registry entries:
C:\> certutil
-getreg ca\CRLPublicationURLs
Verify revocation and validity of a specific certificate:
C:\> certutil -f -urlfetch -verify .\compcert.cer
View CRL cached by CryptoAPI:
Windows CryptoAPI caches CRL for performance reasons.
C:\> certutil -urlcache CRL
Update local CRL cache / View CRL:
Command below forces update of CRL cache.
C:\> certutil -URL http://dc1.kp.local/pki/IssuingCA-DC1.crl
Comments
Post a Comment