When a certificates checks the CRL?

Question

question

enricozogno asked Nov 29, '20 DaisyZhou-MSFT commented Dec 4, '20

When a certificates checks the CRL?

Hello all.

I have signed my applications with a Code Signing Certificate for a long time. Still, since the last renew (SHA256), I noticed every time I start my application a request to the corresponding CRL (certificate revocation list) is made.

Nothing strange but this leads to several timeouts before the application is ready because typically it's installed on servers without internet access (I know: I could disable the check, black-hole it in hosts file, ...)

With another certificate (older, SHA1) the application starts immediately, and no requests is made to CRL

I didn't found any documentation about differences in CRL with different types of certificates...

Someone is so kind as to know some behaviour differences between the two cases?

Thanks.

 Enrico

windows-server-security

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT · Dec 04, 2020 at 09:02 AM

Hello @enricozogno,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

0 ·

Answer 1 · 2020-11-30T09:16:47.64Z

DaisyZhou-MSFT answered Nov 30, '20

Hello @enricozogno,

Thank you for posting here.

To better understand our question, please confirm the information below:

1.Do you mean the same application on the same machine or the same application on different machine?

2.Are the last renew (SHA256) and another certificate (older, SHA1) issued by the same CA server or different CAs servers?

3.If the CA issued last renew (SHA256) is your internal CA server or third-part CA server?

4.If the CA issued another certificate (older, SHA1) is your internal CA server or third-part CA server?

5.We can check what kind CRL we can see about the two certificates (ldap，http or file) ?

For example:

6.We can check if we can access the CRL locations in step 5.

Best Regards,
Daisy Zhou

crl1.png (20.2 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2020-11-30T10:13:56.597Z

Thameur-BOURBITA answered Nov 30, '20 DaisyZhou-MSFT commented Dec 2, '20

Hi,

It seems that the application needs internet connection to check the one of the CRL URL mentioned on new certificate. When you install the new certificate , the application needs to check CRL to validate new certificate, then it will be kept in the cache.
The application start immediately with the old certificate SHA1, because it has already t in the cache.

Please don't forget to mark this reply as answer if it help you to fix your issue

image.png (37.9 KiB)

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT · Dec 02, 2020 at 06:41 AM

Hello @enricozogno,
I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
Thanks for your time and have a nice day!

Best Regards,
Daisy Zhou

0 ·

question