CRL check on external clients

SDS 216 Reputation points
2021-03-05T18:39:21.303+00:00

Hello Team,

we have a two tier PKI (offline Root and enterprise Sub). We publish the CRLs to LDAP and a webserver that is only accessible from inside the network. We will change this to be accessible from external as well, but there is something I do not understand:

We use Always On and serveral certificates that are signed by our PKI. As far as I know, the client caches the CRL of Root and Sub and tries to reach out to the webserver when the expiration date of Sub-CRL or Root-CRL is reached. If the client is external in that moment, it can not reach the webserver or LDAP location and in consequence of that the certificate chain can not be created successfully. Anyway, we never had an issue with that. The clients seem to have another way to check it. How is this possible? Do they just ignore CRL check of Root or Sub CA? Is there any mechanism that I miss?

Thank you!

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,777 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vadims Podāns 9,116 Reputation points MVP
    2021-03-06T09:30:31.12+00:00

    The OCSP Responder is the same webserver and it is not accessible from the internet.

    OCSP don't need to be externally accessible, only IIS server needs to access internal OCSP server. IIS queries OCSP and gets OCSP response of its TLS certificate. Then, when remote client initiates TLS connection to IIS, it will staple this OCSP response in TLS handshake and clients may use this stapled OCSP response to validate certificate revocation status. OCSP stapling on IIS is enabled by default.

    I guess just opening a certificate in MMC will not trigger a revocation check...?

    yes, that's correct. Revocation checking isn't triggered when you open certificate from file or MMC.


2 additional answers

Sort by: Most helpful
  1. Vadims Podāns 9,116 Reputation points MVP
    2021-03-05T20:34:32.567+00:00

    Do you have OCSP? If yes, revocation checking for leaf certificate (at least) can be provided in terms of OCSP stapling during TLS handshake. If it is not the case then client are either configured to soft-fail on revocation checking (ignore RevocationOffline errors) or completely ignore certificate validation (including untrusted chain).

    0 comments No comments

  2. SDS 216 Reputation points
    2021-03-06T07:40:00.087+00:00

    Thank you for your answer and that hint. Yes, OCSP is enabled only on the Extension List of Sub CA. The OCSP Responder is the same webserver and it is not accessible from the internet.

    If I take a client without connection to LDAP/HTTP/OCSP and I delete memory and disk CRL cache, i‘d expect to see an error when checking a PKI signed certificate in MMC (f.e. red cross on the certificate chain tab). But as I am writing this, I guess just opening a certificate in MMC will not trigger a revocation check...?

    0 comments No comments