white letters QA on red background

Making Sure a Certificate Hasn't Been Revoked

Q: How can I make sure a certificate hasn't been revoked? I would also like to know whether the certificate's CRL Distribution Points (CDPs) and the Certificate Revocation Lists (CRLs) at those CDPs are valid.

A: The easiest way to verify certificate revocation information, CDPs, and CRLs is to use the URL Retrieval Tool, which is invoked using the Certutil.exe command-line tool. Certutil.exe is included in Windows OSs and can be used for different certificate management tasks. Here's how to use it:

  1. Put a copy of the certificate you want to check in the file system—specifically, in the root of your user profile folder. (This is the folder that shows up when you open a command prompt.)
  2. Run the following command to open the URL Retrieval Tool:
certutil -URL 

In this command, you must replace with the name of the certificate you want to check (in this example, jan.cer). Note that you don't necessarily need an elevated command prompt to run this command.

  1. In the URL Retrieval Tool, which Figure 1 shows, select the CRLs (from CDP) option and click the Retrieve button.
Figure 1: Launching the URL Retrieval Tool
Figure 1: Launching the URL Retrieval Tool

If the certificate is revoked, you'll get a Revoked status message. If the certificate is valid, you'll get a Verified status message. If the test failed, the Status column will specify Failed.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.