PKI - Issuing CA: CRL Logs and .edb file

49885604 215 Reputation points
2023-05-18T14:38:21.1033333+00:00

Hi Everyone,

I need to find and check the CRL Logs on my PKI servers, should it be possible to find them in EventViewer or using other sources?

Would it be also possible to open the .edb file of the Issuing CA using Microsoft tools ? It's stored in ...\system32\certlog ?

Kind regards,

Alessio.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,776 Reputation points
    2023-05-19T11:27:12.4066667+00:00

    Hello there,

    Certutil.exe is the command-line tool to verify certificates and CRLs. To get reliable verification results, you must use certutil.exe because the Certificate MMC Snap-In does not verify the CRL of certificates. A certificate might be wrongly shown in the MMC snap-in as valid but once you verify it with certutil.exe you will see that the certificate is actually invalid.

    Remember, that certutil.exe operates in the security context of the current session context. This is important if you need to verify the validity of computer certificates. What if your current user session has the right proxy settings but the machine context does not? In Windows Server 2003 and Windows XP, the proxy configuration of the machine context can be configured with proxycfg.exe . In Windows Vista and Windows Server Codename Longhorn, use netsh winhttp show proxy to verify the proxy settings of the machine context.

    Basic CRL checking with certutil https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/basic-crl-checking-with-certutil/ba-p/1128367

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.