This article contains answers to some frequently asked questions (FAQ) about Certificate Revocation Lists (CRLs) and Microsoft Internet Information Services (IIS) 5.0.
Q1: What is a Certificate Revocation List (CRL), and what is a CRL Distribution Point (CDP)?
A1: A CRL is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. A CRL file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.
A CDP is the location where you can download the latest CRL. A CDP is typically listed in the CRL Distribution Points
field of the Details
tab of the certificate. It is common to list multiple CDPs that use different access methods to make sure that programs, such as Web browsers and Web servers, can always obtain the latest CRL.
The following are examples of CDP entries:
CRL Distribution Point Distribution Point Name:Full Name:URL=ldap:///CN=SecTestCA1,CN=SECTESTCA1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=rte,DC=microsoft,DC=com?certificateRevocationList?base?objectclass=cRLDistributionPointCRL Distribution Point Distribution Point Name:Full Name:URL=http://sectestca1.rte.microsoft.com/CertEnroll/SecTestCA1.crlCRL Distribution Point Distribution Point Name:Full Name:URL=file://\\sectestca1.rte.microsoft.com\CertEnroll\SecTestCA1.crlQ2: When does IIS 5.0 retrieve a CRL?
A2: Each CRL has an effective date. The effective date is also referred to as the "next update" or the "validity period." IIS 5.0 retrieves a CRL only if one of the following conditions is true:
Q3: If the certificate contains several CRL Distribution Points, does IIS 5.0 retrieve the CRL from each location?
- The CRL of the certificate is not contained in the IIS 5.0 cache.
- The effective date of the CRL in the IIS 5.0 cache has passed.
A3: No. Only the first, or top, location is used. If unsuccessful, IIS 5.0 tries the next CRL distribution point.Q4: Are the contents of each CRL at each CRL distribution point downloaded and combined?
A4: No. Only one CRL is downloaded.Q5: Are CRLs stored on the computer that is running IIS 5.0?
A5: Yes. However, any consequences that result from the manipulation of the CRL are not supported by Microsoft Product Support Services.Q6: How are CRLs identified? That is, what extension do CRL files use?
A6: CRLs use a .crl extension. For example, CRLFileName
is listed in the CRL distribution point on the certificate.Q7: What occurs if IIS 5.0 cannot find one of the CRLs?
A7: By default, IIS 5.0 fails if the CRL of a certificate cannot be accessed. Therefore, multiple paths and protocols are used to the same CRL distribution point. For example, the following protocols and paths are used in the URL of a CRL distribution point:
Q8: What error message appears in the Web browser if an effective CRL cannot be obtained? Is the same error message displayed if the CRL is obtained and if the certificate is revoked?
- Lightweight Directory Access Protocol (LDAP)
A8: Yes, you receive the same error message in both scenarios. You receive the following error message:
HTTP 403.13 Forbidden: Client certificate revoked Q9: You experience one of the following symptoms:
The page requires a valid client certificate
- You make the CRL unavailable. However, IIS does not retrieve a new CRL and does not appear to fail.
- You revoke a certificate and republish the CRL. However, IIS 5.0 still lets users locate a Web site by using the revoked certificate.
A9: Both these scenarios are related to the same issue. IIS 5.0 still uses a cached CRL that has not passed its effective date. For more information, see "Q2: When does IIS 5.0 retrieve a CRL?”.Q10: Is it possible to force the cached CRL to update?
A10: You cannot force the cached CRL to update. The CRL has an expiration date. When the CR expires, the CRL is renewed.
All certificates are stored in the cache when the certificates are selected from a store or from a URL. The only difference is the location where the cached certificates are stored. Certificates can be stored in the following locations:
All retrieved certificates are cached in memory.
- CA Store
All certificates that are retrieved from any WinInet-supported URLs, such as HTTP, FTP, LDAP, and FILE by using the Authority Information Access (AIA) extension are cached in the CA store.
- Local file system
If the retrieval URL is ldap://, ftp://, or http://, the certificate or CRL is also cached by WinInet in the local file system. The cache is stored in the Documents and Settings\UserName\Local Settings\Temporary Internet Files folder.
For additional information about certificates and about caching, visit the following Microsoft Web site: