Configuring grace period for CRL cause Microsoft to ignore Base CRL validity check

Hi all,

I recently noticed a very strange behavior during certificate validation check in a workstation using crl extended validity period.

My goal was to check certificate validation process using cached CRLs and the validation behavior using CRL extended validity configuration at domain in computer level.

I created a lab domain environment with the following specs:

• DC - Win Server 2012 R2
• Enterprise Root CA + CDP (IIS) - Win Server 2016
• Workstation - Win 10

Above is the detailed test performed in the workstation:

1. Performed a sanity check trying to validate an endpoint certificate issued by the CA (using commandcertutil -q -verify test.crt), everything looks fine and the command ends with no problems.
2. I turned off CDP website, clear crl cache on the workstation (computer+user cache), try to validate certificate again with no success as expected (revocation server was offline error).
3. Use certutil -f -addstore root labrca.crl/labrca+.crl to add both CRLs to local certificate store.
4. Use again certutil to validate the certificate, this time with success.
5. Wait until delta CRL to expired and try validate again, as expected with no success (revocation offline).
6. Configured a CRL extended validity period of 1 hour using GPO linked to workstation OU.
7. Updated Group policy at the workstation and tried to validate cert again, as expected succeeded (CRL was half hour only expired).

Now, the problem started when using a cached expired Base CRL (1 day expired) and a new valid Delta CRL trying to validate the certificate on the workstation (configured to extend CRL validity time by 1 hour as defined within the GPO before).

The certutil -verify command simply ignore the Base CRL being 1 day already expired and just satisfied with the Delta CRL being valid to return a success code.

Disabling the CRL grace (extended validity period) cause certutil verify to fail as expected.

Anyone know why validation check is acting like this when using CRL extended validity period? I really expected validation check to fail during use of an expired CRL (never mind base or delta), even with extended validity configured in case the "NextUpdate+GracePeriod" be over.

Thanks and hope there are a logic answer so this is not a bug.