Article ID: 289749
Article Last Modified on 11/21/2006
APPLIES TO
- Microsoft Internet Information Services 5.0
This article was previously published under Q289749
INTRODUCTION
This article contains answers to some frequently asked questions (FAQ) about Certificate Revocation Lists (CRLs) and Microsoft Internet Information Services (IIS) 5.0.
MORE INFORMATION
Q1: What is a Certificate Revocation List (CRL), and what is a CRL Distribution Point (CDP)?
A1: A CRL is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. A CRL file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.
A CDP is the location where you can download the latest CRL. A CDP is typically listed in the CRL Distribution Points field of the Details tab of the certificate. It is common to list multiple CDPs that use different access methods to make sure that programs, such as Web browsers and Web servers, can always obtain the latest CRL.
The following are examples of CDP entries:
[1]CRL Distribution Point Distribution Point Name: Full Name: URL=ldap:///CN=SecTestCA1,CN=SECTESTCA1,CN=CDP,CN=Public%20Key%20Services, CN=Services,CN=Configuration,DC=rte,DC=microsoft, DC=com?certificateRevocationList?base?objectclass=cRLDistributionPoint [2]CRL Distribution Point Distribution Point Name: Full Name: URL=http://sectestca1.rte.microsoft.com/CertEnroll/SecTestCA1.crl [3]CRL Distribution Point Distribution Point Name: Full Name: URL=file://\\sectestca1.rte.microsoft.com\CertEnroll\SecTestCA1.crl
Q2: When does IIS 5.0 retrieve a CRL?
A2: Each CRL has an effective date. The effective date is also referred to as the "next update" or the "validity period." IIS 5.0 retrieves a CRL only if one of the following conditions is true:
- The CRL of the certificate is not contained in the IIS 5.0 cache.
- The effective date of the CRL in the IIS 5.0 cache has passed.
Q3: If the certificate contains several CRL Distribution Points, does IIS 5.0 retrieve the CRL from each location?
A3: No. Only the first, or top, location is used. If unsuccessful, IIS 5.0 tries the next CRL distribution point.
Q4: Are the contents of each CRL at each CRL distribution point downloaded and combined?
A4: No. Only one CRL is downloaded.
Q5: Are CRLs stored on the computer that is running IIS 5.0?
A5: Yes. However, any consequences that result from the manipulation of the CRL are not supported by Microsoft Product Support Services.Q6: How are CRLs identified? That is, what extension do CRL files use?
A6: CRLs use a .crl extension. For example, CRLFileName
[1].crl.
Note The FileName
is listed in the CRL distribution point on the certificate.
Q7: What occurs if IIS 5.0 cannot find one of the CRLs?
A7: By default, IIS 5.0 fails if the CRL of a certificate cannot be accessed. Therefore, multiple paths and protocols are used to the same CRL distribution point. For example, the following protocols and paths are used in the URL of a CRL distribution point:
- HTTP
- Lightweight Directory Access Protocol (LDAP)
- File
Q8: What error message appears in the Web browser if an effective CRL cannot be obtained? Is the same error message displayed if the CRL is obtained and if the certificate is revoked?
A8: Yes, you receive the same error message in both scenarios. You receive the following error message:
Q9: You experience one of the following symptoms:
- You make the CRL unavailable. However, IIS does not retrieve a new CRL and does not appear to fail.
- You revoke a certificate and republish the CRL. However, IIS 5.0 still lets users locate a Web site by using the revoked certificate.
A9: Both these scenarios are related to the same issue. IIS 5.0 still uses a cached CRL that has not passed its effective date. For more information, see "Q2: When does IIS 5.0 retrieve a CRL?”.
Q10: Is it possible to force the cached CRL to update?
A10: You cannot force the cached CRL to update. The CRL has an expiration date. When the CR expires, the CRL is renewed.
All certificates are stored in the cache when the certificates are selected from a store or from a URL. The only difference is the location where the cached certificates are stored. Certificates can be stored in the following locations:
- Memory
All retrieved certificates are cached in memory.
- CA Store
All certificates that are retrieved from any WinInet-supported URLs, such as HTTP, FTP, LDAP, and FILE by using the Authority Information Access (AIA) extension are cached in the CA store.
- Local file system
If the retrieval URL is ldap://, ftp://, or http://, the certificate or CRL is also cached by WinInet in the local file system. The cache is stored in the Documents and Settings\UserName
\Local Settings\Temporary Internet Files folder.
For additional information about certificates and about caching, visit the following Microsoft Web site:
MORE INFORMATION
Q12: Can IIS 5.0 perform "real time" CRL checking?
A12: No. IIS 5.0 uses the CRL in the cache until the CRL expires. The lowest validity period for a CRL that is published by Microsoft Certificate Services is one hour. You can delete the CRL from the cache to force the retrieval of a new CRL. However, the new CRL still has the same validity period.
REFERENCES
For more information about Internet X.509 Public Key Infrastructure Certificate and CRL profile, visit the following Internet Engineering Task Force (IETF) Web site:
Request for Comments (RFC) 2459
Additional query words: CRL revocation
Keywords: kbinfo kbtshoot kbfaq KB289749