Hi everyone,
I have a few questions about certificate revocation. I have a just implemented a 2 tier Server 2012 enterprise PKI infra. 1 offline root and 4 issuing CA's. There are also four other servers that have shared folders that serve as CDP points. I also have OCSP (four node cluster set)
I wanted to test and document the certificate revocation process. I issued a certificate for a web server in my environment. When connecting over HTTPs I can see that the cert is being used. I have revoked the certificate on the issuing server.
I did not want to wait until the delta CRL expired so I ran the certutil -CRL command to publish new revocation information. I confirmed this ran successfully and updated ALL of my CDP's. When I go that website, the certificate still shows as valid. I ran the following commands to delete the local CRL cache;
Certutil –urlcache * delete
certutil -setreg chain\ChainCacheResyncFiletime @now.
the cert still shows as valid. I also tried to reboot the machine. no luck.
Few questions;
1. after running the certutil -CRL and rebooting a machine, should the revoked certificate not block access to the web site?
2. on the day I revoked the certificate I did a certutil -urlfetch -verify ) and the cert should as valid the following morning I did that command and the cert shows as revoked. should the URLFETCH command not of pulled down the latest CDP? if I browse manually to the CDP via http, the base has the revoked certificate in its list.
3. when I do a certutil -url on the exported certificate the cert still shows as valid when running the CRL test. When I run the ocsp test it started to fail only about 15 hours after the certificate was revoked not before. However access ot the website is still allowed.
PKIview shows the environment as all OK (no errors or warnings)
What am I do wrong here? How long should it be before clients are stopped from accessing websites with a revoked certificate?
Thanks