This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 94%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hello Team,
we have a two tier PKI (offline Root and enterprise Sub). We publish the CRLs to LDAP and a webserver that is only accessible from inside the network. We will change this to be accessible from external as well, but there is something I do not understand:
We use Always On and serveral certificates that are signed by our PKI. As far as I know, the client caches the CRL of Root and Sub and tries to reach out to the webserver when the expiration date of Sub-CRL or Root-CRL is reached. If the client is external in that moment, it can not reach the webserver or LDAP location and in consequence of that the certificate chain can not be created successfully. Anyway, we never had an issue with that. The clients seem to have another way to check it. How is this possible? Do they just ignore CRL check of Root or Sub CA? Is there any mechanism that I miss?
Thank you!
The OCSP Responder is the same webserver and it is not accessible from the internet.
OCSP don't need to be externally accessible, only IIS server needs to access internal OCSP server. IIS queries OCSP and gets OCSP response of its TLS certificate. Then, when remote client initiates TLS connection to IIS, it will staple this OCSP response in TLS handshake and clients may use this stapled OCSP response to validate certificate revocation status. OCSP stapling on IIS is enabled by default.
I guess just opening a certificate in MMC will not trigger a revocation check...?
yes, that's correct. Revocation checking isn't triggered when you open certificate from file or MMC.
Do you have OCSP? If yes, revocation checking for leaf certificate (at least) can be provided in terms of OCSP stapling during TLS handshake. If it is not the case then client are either configured to soft-fail on revocation checking (ignore RevocationOffline errors) or completely ignore certificate validation (including untrusted chain).
Thank you for your answer and that hint. Yes, OCSP is enabled only on the Extension List of Sub CA. The OCSP Responder is the same webserver and it is not accessible from the internet.
If I take a client without connection to LDAP/HTTP/OCSP and I delete memory and disk CRL cache, i‘d expect to see an error when checking a PKI signed certificate in MMC (f.e. red cross on the certificate chain tab). But as I am writing this, I guess just opening a certificate in MMC will not trigger a revocation check...?