Implementing Revocation

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Certificates and licenses can be revoked by any principal that is in the chain of trust for the certificate or license. Any certificate or license that is issued by a root cluster can be revoked by that root cluster. In addition, the certificates can be revoked by a third party who is chosen by the RMS administrator.

To revoke a certificate or license granted by your RMS server, you can create and distribute a revocation list and then require the list in a rights policy template, as described in the following steps:

  1. Create a revocation list that specifies the principals to be revoked. This is a plain text file in XML format that conforms to the XrML vocabulary. For more information, see “Creating Revocation Lists” later in this subject.

  2. Generate a key pair for the revocation list. Then, sign the file with the private key by using the Revocation List Signing tool that is provided for that purpose.. For instructions, see “Creating Revocation Lists” later in this section. You should automate this process so that it occurs regularly, preferably daily.

  3. Place the revocation list file in a location that is accessible to all users who require it. It is recommended that you place the file in a location that is accessible from both your network and the Internet, preferably on a Web site. This ensures that users can access the file from both inside and outside the corporate network.

  4. Create a rights policy template that includes a requirement for the revocation list. For more information, see “Creating and Modifying Rights Policy Templates” later in this subject.

You can also revoke the server licensor certificate of the root cluster. Because this certificate was issued by the Microsoft Enrollment Service, Microsoft can revoke the server licensor certificate of the root cluster. To do this, Microsoft adds the server licensor certificate to its revocation list and makes the list publicly available.

In addition, your root cluster server licensor certificate may be revoked by a third-party authority if your RMS administrator chose to enable that option during provisioning. If you use this option, a revocation list that includes this server licensor certificate that was signed by the private key of the third-party authority should then be made available to clients. For more information, see “Revoking Server Licensor Certificates” later in this subject.


Be careful when you implement revocation. Based on the refresh interval that you specify, you must renew a revocation list periodically or it will automatically expire, which prevents users from consuming content that requires that list. To ensure that you do not inadvertently prevent users from consuming content, carefully evaluate the interval that you require for refreshing the revocation list. Also, make sure that the revocation list can be accessed from both inside and outside of the network. For more information, see “Defining Revocation Policies” earlier in this subject.