Q: How can I make sure a certificate hasn't been revoked? I would also like to know whether the certificate's CRL Distribution Points (CDPs) and the Certificate Revocation Lists (CRLs) at those CDPs are valid.
A: The easiest way to verify certificate revocation information, CDPs, and CRLs is to use the URL Retrieval Tool, which is invoked using the Certutil.exe command-line tool. Certutil.exe is included in Windows OSs and can be used for different certificate management tasks. Here's how to use it:
- Put a copy of the certificate you want to check in the file system—specifically, in the root of your user profile folder. (This is the folder that shows up when you open a command prompt.)
- Run the following command to open the URL Retrieval Tool:
In this command, you must replace
- In the URL Retrieval Tool, which Figure 1 shows, select the CRLs (from CDP) option and click the Retrieve button.
If the certificate is revoked, you'll get a Revoked status message. If the certificate is valid, you'll get a Verified status message. If the test failed, the Status column will specify Failed.