Checking the revocation list in the system (CRL / IIS / CA / Edge)

Step to IT 100 Reputation points
2024-04-14T11:33:48.6366667+00:00

Hi all!

I encountered a problem in the availability of IIS sites when accessing sites with an invalid (revoked) certificate.

More details in order: I deployed a test CA with the following servers:

  • Root CA (Standalone, without domain)
  • Sub Issue CA (Enterprise, in domain)

RootCA is offline, SubCA in enabled state, issues certificates. CDP and AIA points are published through SubCA at "http://certs.domain.com/...*" (.crt & .crl). OCSP was not created.

I created a test IIS site and issued a certificate for it via SubCA. Everything works well in all browsers (for example, Internet Explorer & Microsoft Edge).

Next, for verification, the certificate was revoked + a new CRL was published. However, after that I go to the site through MS Edge and it works as if nothing had happened. MS Edge displays "Connection is secure".

At the same time, Internet Explorer reacts correctly:


This site is not secure

This website’s security certificate has been revoked, so you can’t go there at this time.

Error Code: ERROR_INTERNET_SEC_CERT_REVOKED


On top of that, when you upload the certificate to a ".crt" file and open it, visually, everything seems to be fine with him. However, when running the command "certutil -verify pathToCRT" it reports:


The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)

------------------------------------

Certificate is REVOKED

Leaf certificate is REVOKED (Reason=0)


Actually, the questions:

  1. Why does this system behavior occur? Expected to work in the same way as in Internet Explorer
  2. Is it possible to set up a forced check of the revocation list and, in case of problems with the certificate, block work with the site?
Microsoft Edge
Microsoft Edge
A Microsoft cross-platform web browser that provides privacy, learning, and accessibility tools.
2,319 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jinxin Wang (Shanghai Wicresoft Co Ltd) 2,175 Reputation points Microsoft Vendor
    2024-04-15T06:21:39.5933333+00:00

    Hi @Step to IT,

    This behavior is "By design". “Online” certificate revocation status checks using Certificate Revocation List (CRL) or OCSP URLs included in certificates are disabled by default. This is because unless a client, like Chrome, refuses to connect to a website if it cannot get a valid response, online checks offer limited security value. You can refer to this link: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/security/faq.md#what_s-the-story-with-certificate-revocation.

    There are two relevant policies that can change the Edge Revocation Checking configuration away from the default:

    1.https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#enableonlinerevocationchecks This enables soft-fail online revocation checks. If the certificate does not contain revocation information, the certificate is deemed valid. If the revocation check does not complete (e.g. inaccessible CA), the certificate is deemed valid. If the certificate revocation check successfully returns that the certificate was revoked, the certificate is deemed invalid.

    2.https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#requireonlinerevocationchecksforlocalanchors This enables hard-fail online revocation checks for certificates whose trust anchor is a locally trusted root (e.g. an enterprise CA, not a public CA). If the certificate does not contain revocation information, the certificate is deemed invalid. If the revocation check does not complete (e.g. inaccessible CA), the certificate is deemed invalid. If the certificate revocation check successfully returns that the certificate was revoked, the certificate is deemed invalid.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,

    Jinxin Wang

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.