Article ID: 289749
This article contains answers to some frequently asked questions (FAQ) about Certificate Revocation Lists (CRLs) and Microsoft Internet Information Services (IIS) 5.0.
Q1: What is a Certificate Revocation List (CRL), and what is a CRL Distribution Point (CDP)?
A1: A CRL is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. A CRL file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.
A CDP is the location where you can download the latest CRL. A CDP is typically listed in the CRL Distribution Points field of the Details tab of the certificate. It is common to list multiple CDPs that use different access methods to make sure that programs, such as Web browsers and Web servers, can always obtain the latest CRL.
The following are examples of CDP entries:
Q2: When does IIS 5.0 retrieve a CRL?
CRL Distribution Point Distribution Point Name: Full Name: URL=ldap:///CN=SecTestCA1,CN=SECTESTCA1,CN=CDP,CN=Public%20Key%20Services, CN=Services,CN=Configuration,DC=rte,DC=microsoft, DC=com?certificateRevocationList?base?objectclass=cRLDistributionPoint CRL Distribution Point Distribution Point Name: Full Name: URL=http://sectestca1.rte.microsoft.com/CertEnroll/SecTestCA1.crl CRL Distribution Point Distribution Point Name: Full Name: URL=file://\\sectestca1.rte.microsoft.com\CertEnroll\SecTestCA1.crl
A2: Each CRL has an effective date. The effective date is also referred to as the "next update" or the "validity period." IIS 5.0 retrieves a CRL only if one of the following conditions is true:
A3: No. Only the first, or top, location is used. If unsuccessful, IIS 5.0 tries the next CRL distribution point.
Q4: Are the contents of each CRL at each CRL distribution point downloaded and combined?
A4: No. Only one CRL is downloaded.
Q5: Are CRLs stored on the computer that is running IIS 5.0?
A5: Yes. However, any consequences that result from the manipulation of the CRL are not supported by Microsoft Product Support Services.Q6: How are CRLs identified? That is, what extension do CRL files use?
A6: CRLs use a .crl extension. For example, CRLFileName.crl.
Note The FileName is listed in the CRL distribution point on the certificate.
Q7: What occurs if IIS 5.0 cannot find one of the CRLs?
A7: By default, IIS 5.0 fails if the CRL of a certificate cannot be accessed. Therefore, multiple paths and protocols are used to the same CRL distribution point. For example, the following protocols and paths are used in the URL of a CRL distribution point:
A8: Yes, you receive the same error message in both scenarios. You receive the following error message:
HTTP 403.13 Forbidden: Client certificate revoked
The page requires a valid client certificate
Q9: You experience one of the following symptoms:
Q10: Is it possible to force the cached CRL to update?
A10: You cannot force the cached CRL to update. The CRL has an expiration date. When the CR expires, the CRL is renewed.
All certificates are stored in the cache when the certificates are selected from a store or from a URL. The only difference is the location where the cached certificates are stored. Certificates can be stored in the following locations:
Q12: Can IIS 5.0 perform "real time" CRL checking?
A12: No. IIS 5.0 uses the CRL in the cache until the CRL expires. The lowest validity period for a CRL that is published by Microsoft Certificate Services is one hour. You can delete the CRL from the cache to force the retrieval of a new CRL. However, the new CRL still has the same validity period.
For more information about Internet X.509 Public Key Infrastructure Certificate and CRL profile, visit the following Internet Engineering Task Force (IETF) Web site:
Request for Comments (RFC) 2459
Article ID: 289749 - Last Review: June 19, 2014 - Revision: 9.0