Local CRL location of a revoked SubCA-Certificate

Question

Local CRL location of a revoked SubCA-Certificate

Fabian 261

Hi again ;-)

I was wondering why on a client in the Certificate Manager is an "Intermediate CA\Certificate Revocation List" container, which contains the revoked certificates issued by my Sub CA, but no "Root CA\Certificate Revocation List" container, which would contain the revoked certificates issued by my Root CA? The Endpoint Certificates as well as the SubCA Certificate have some CDP entries. Where is the CRL localy located if I would revoke the certificate of my SubCA?

Best regards, fabian

Anonymous

2021-07-15T04:37:41.187+00:00

Hello @Fabian ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Anonymous

2021-07-19T05:18:08.193+00:00

Hello @Fabian ,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Fabian 261 Reputation points

2021-07-23T20:20:02.89+00:00

Hi @Anonymous
Sorry for my late reply, I was unexpectedly away. My curiosity is not completely satisfied but in detail probably not to clarify. For example, if the "Certificate Revocation List" container corresponds to the cache store, the "Trusted Root Certification Authorities" should also have a container because this CRL is also cached.

Best regards, fabian

Accepted answer

1 additional answer

Your answer

Anonymous

2021-07-15T04:37:41.187+00:00

Hello @Fabian ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Anonymous

2021-07-19T05:18:08.193+00:00

Hello @Fabian ,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Fabian 261 Reputation points

2021-07-23T20:20:02.89+00:00

Hi @Anonymous
Sorry for my late reply, I was unexpectedly away. My curiosity is not completely satisfied but in detail probably not to clarify. For example, if the "Certificate Revocation List" container corresponds to the cache store, the "Trusted Root Certification Authorities" should also have a container because this CRL is also cached.

Best regards, fabian

Answer 1

Hello @Fabian ,

Thank you for posting here.

I was wondering why on a client in the Certificate Manager is an "Intermediate CA\Certificate Revocation List" container, which contains the revoked certificates issued by my Sub CA, but no "Root CA\Certificate Revocation List" container, which would contain the revoked certificates issued by my Root CA?

A1: In my test lab (two-tier PKI), I can see there is "Root CA\Certificate Revocation List" container only on my sub CA server.

For example:

There is "Intermediate CA\Certificate Revocation List" container but no "Root CA\Certificate Revocation List" container on the other machines (domain clients, root CA, and member servers) .

The Endpoint Certificates as well as the SubCA Certificate have some CDP entries. Where is the CRL localy located if I would revoke the certificate of my SubCA?
A2:
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData

Here is a similar thread for your reference.

CRL Cache in Win Server
https://social.technet.microsoft.com/Forums/ie/en-US/e5144995-5fda-4ffb-be4e-eb6c578c63b6/crl-cache-in-win-server?forum=winserversecurity

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Fabian 261 Reputation points

2021-07-09T09:30:51.363+00:00

Hello @Anonymous

Thank you for your answer. My question now is, Why?

What is the Revocation List container used for if there is a local cache?

Why is the Revocation List Container structure of the SubCA different from other computers?

Best regards, fabian

Answer 2

Hello @Fabian ,

I am sorry for the late reply. Thank you for your update.

Here are the answers for your references.

What is the Revocation List container used for if there is a local cache?
A1: I think the function of Revocation List container is the same as local cache.
Local cache is the store location of CRL files. And Revocation List container is UI display information.

Why is the Revocation List Container structure of the SubCA different from other computers?
A2: I think it is by design. I am sorry, I do not know why.

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Share via

Local CRL location of a revoked SubCA-Certificate

1 additional answer

Your answer