Understanding Access to Microsoft Certificate Revocation List

High-Level Overview

We encourage you to enhance this guide by identifying missing areas (scenarios, features, lifecycle...), provide links to and write descriptions of existing content, and providing new content where there are gaps. Join the community!

Introduction

This is an overview article about a scenario where firewall administrator started to see a great variety of traffic going to the URL http://crl.microsoft.com/pki/* while reviewing the firewall logs. As the traffic was coming from different client’s profiles the core question was raised: why my clients are going to http://crl.microsoft.com/pki/* ? Although this was a question from the firewall administrator while reviewing the logs, this is also a subject of many discussions in the IT Pro community space, as shown this thread.

 

Certificate Revocation List

The concept of Certificate Revocation List (CRL) can be found here, but in the summary this is a list of certificates that are not valid, either because they expired or because they were forced to be revoked (for example when a certificate is compromised). When the client is validating a certificate it is common to access this list to perform this validation. The capability of performing the CRL check can be controlled by the application as explained in this article. Note that disabling CRL check is not recommended in a production environment, unless you are troubleshooting an issue and wants to isolate if the problem is related to CRL validation. Make sure to turn it on again after performing the validation.

 

Microsoft Products

When starting a .NET application, the .NET Framework will attempt to download the CRL for any signed assembly. If the system that you are running does not Internet access, or is restricted from accessing the Microsoft.com domain, you might face a delay starting up or running some applications. All managed code goes through a certificate check against crl.microsoft.com by .net runtime before startup as stated in this article. This can also affect performance while installing some applications, such as BizTalk Server as explained in this article.

There are many other Microsoft products that are affected by the system’s incapability of accessing Microsoft’s CRL site:

• Exchange Server 2007 managed code services do not start after you install an update rollup for Exchange Server 2007

• Activation fails when you try to activate Windows Vista or Windows Server 2008 over the Internet

• Description of Update Rollup 3 for Microsoft Exchange Server 2010 Release to Manufacturing

• "Message Number 32777" Error Message When You Try to Activate Windows Server 2003 Over the Internet

• You cannot install SQL Server 2005 Service Pack 1 on a SQL Server 2005 failover cluster if the failover cluster is behind a firewall

 

Conclusion

While it is important to keep secure access to Internet from the enterprise standpoint, it is also important to make sure that applications that require Internet access to validate CRL are capable of doing it. CRL checking is a secure mechanism that helps validate the validity of a certificate. Chances are that your company is already allowing access to the core Microsoft sites due Windows Update functionality (as per KB885819), in this case, make sure to add crl.microsoft.com to the list (on your firewall or proxy) and you should avoid issues of this nature.

This article was originally written by:

Yuri Diogenes, Senior Technical Writer Windows Server iX | IT Pro Security Microsoft Corporation

Yuri’s Blog:http://blogs.technet.com/yuridiogenes
Team’s Blog:http://blogs.technet.com/b/securitycontent
Twitter:http://twitter.com/yuridiogenes