question

Fabian-7704 avatar image
0 Votes"
Fabian-7704 asked Fabian-7704 commented

Local CRL location of a revoked SubCA-Certificate

Hi again ;-)

I was wondering why on a client in the Certificate Manager is an "Intermediate CA\Certificate Revocation List" container, which contains the revoked certificates issued by my Sub CA, but no "Root CA\Certificate Revocation List" container, which would contain the revoked certificates issued by my Root CA? The Endpoint Certificates as well as the SubCA Certificate have some CDP entries. Where is the CRL localy located if I would revoke the certificate of my SubCA?

Best regards, fabian

windows-server
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @Fabian-7704,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @Fabian-7704,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hi @DaisyZhou-MSFT
Sorry for my late reply, I was unexpectedly away. My curiosity is not completely satisfied but in detail probably not to clarify. For example, if the "Certificate Revocation List" container corresponds to the cache store, the "Trusted Root Certification Authorities" should also have a container because this CRL is also cached.

Best regards, fabian

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered Fabian-7704 commented

Hello @Fabian-7704,

Thank you for posting here.

I was wondering why on a client in the Certificate Manager is an "Intermediate CA\Certificate Revocation List" container, which contains the revoked certificates issued by my Sub CA, but no "Root CA\Certificate Revocation List" container, which would contain the revoked certificates issued by my Root CA?

A1: In my test lab (two-tier PKI), I can see there is "Root CA\Certificate Revocation List" container only on my sub CA server.

For example:
113122-re.png

There is "Intermediate CA\Certificate Revocation List" container but no "Root CA\Certificate Revocation List" container on the other machines (domain clients, root CA, and member servers) .

113087-re1.png


The Endpoint Certificates as well as the SubCA Certificate have some CDP entries. Where is the CRL localy located if I would revoke the certificate of my SubCA?
A2:
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData

Here is a similar thread for your reference.

CRL Cache in Win Server
https://social.technet.microsoft.com/Forums/ie/en-US/e5144995-5fda-4ffb-be4e-eb6c578c63b6/crl-cache-in-win-server?forum=winserversecurity


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



re.png (29.4 KiB)
re1.png (25.6 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @DaisyZhou-MSFT

Thank you for your answer. My question now is, Why?

  1. What is the Revocation List container used for if there is a local cache?

  2. Why is the Revocation List Container structure of the SubCA different from other computers?

Best regards, fabian

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @Fabian-7704,

I am sorry for the late reply. Thank you for your update.

Here are the answers for your references.

What is the Revocation List container used for if there is a local cache?
A1: I think the function of Revocation List container is the same as local cache.
Local cache is the store location of CRL files. And Revocation List container is UI display information.


Why is the Revocation List Container structure of the SubCA different from other computers?
A2: I think it is by design. I am sorry, I do not know why.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.