I want to start this blog with a very basic topic: CRL checking.
In the past we have documented a lot about CRL checking but I am still seeing that people have difficulties to verify if a certificate is valid or not. We have two whitepapers about CRL troubleshooting:
Certutil.exe is the command-line tool to verify certificates and CRLs. To get reliable verification results, you must use certutil.exe because the Certificate MMC Snap-In does not verify the CRL of certificates. A certificate might be wrongly shown in the MMC snap-in as valid but once you verify it with certutil.exe you will see that the certificate is actually invalid.
Remember, that certutil.exe operates in the security context of the current session context. This is important if you need to verify the validity of computer certificates. What if your current user session has the right proxy settings but the machine context does not? In Windows Server 2003 and Windows XP, the proxy configuration of the machine context can be configured with proxycfg.exe . In Windows Vista and Windows Server Codename Longhorn, use netsh winhttp show proxy to verify the proxy settings of the machine context.
If you have a certificate and want to verify its validity, perform the following command:
The URL can be a HTTP or LDAP URL. The nice thing with the –URL verb is that it shows a user interface where also the retrieval timeout can be set. Thus, it might be, that a CRL can be retrieved with an extended retrieval timeout while certutil -verify fails because it uses the default timeout. To also extend the retrieval timeout for the -verify verb, use the -t option like this:
The -split option creates a file named “BlobX_X_X.*” in your current working directory. If multiple CRLs are downloaded several Blob*.* files are created. As a global option, -split can also be used with other certutil verbs, for example: