white letters QA on red background

Ways to Check the Revocation Status of Certificates

Q: What's the difference between using certificate revocation lists (CRLs) and the Online Certificate Status Protocol (OCSP) for certificate validation?

A: A CRL is a list that's generated by a Certification Authority (CA). It contains the serial numbers of invalid certificates. Certificates can end up on this blacklist if the corresponding private key was compromised (e.g., a user loses his or her Windows authentication smart card). Such an event must trigger the CA administrator to add the associated certificate to its CRL. Each time an application uses a certificate for authenticating a user or service, it must check the CRL. If a certificate is listed on the CRL, the user or service authentication using that certificate will fail.

CRLs have a limited lifetime, and each Windows CA automatically publishes a new CRL at predefined intervals as specified by the CA administrator using the CRL publication interval parameter. A CRL Distribution Point (CDP) is an X.509 certificate field that tells an application where the latest CRL can be downloaded. CDPs are typically HTTP addresses, but LDAP URLs are often used, too.

An important issue concerning CRLs is the frequency in which their revocation information is updated. A CRL's revocation information is only as recent as the latest CRL publication date. To provide more up-to-date revocation information to public key infrastructure (PKI)-enabled applications, most CAs (including the Windows CA) support delta CRLs. Delta CRLs are small CRLs that can be issued more frequently and that never repeat the same revocation information. They only hold the serial numbers of the certificates that were revoked since the last delta CRL or the last base CRL. (A base CRL is the classic CRL that's published periodically, as defined in the previous paragraph.)

Another solution for providing more up-to-date revocation information to PKI-enabled applications is the Online Certificate Status Protocol. OCSP allows a PKI-enabled application to contact an OCSP server (also called an OCSP responder) to check for a certificate's revocation status in real time. OCSP responses are smaller than CRL or delta CRL responses, which makes them more network friendly, even if they're used at real-time rates.

Microsoft supports CRLs from the early days of the Microsoft PKI software in Windows 2000. It introduced delta CRL support in Windows Server 2003. Starting in Windows Server 2008, Microsoft includes an OCSP responder.

To limit the network impact of downloading CRLs and OCSP information to Windows machines, a Windows PKI client also caches CRL and OCSP information locally on the Windows machine. For more information about this caching process, see "Understanding the Caching Mechanisms Used During Certificate Validation."

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.