I have create Root CA and Server Certificate following didierstevens blog. My browsers still trusts the certificate even after revoking the server certificate. I was getting certificate revoked error message for my old CA and certificate. I followed same blog for creating new CA and cert but it is not working now.
I have hosted my test application in IIS 10.0.10586.0, my client browsers are Chrome 63.0.3239.132 and IE 11.1295.10586.0. I confirmed CRL file is accessible, certification revocation check is turned on in both the browsers. But still the CRL verification is not happening.
Answer
Certificate Revocation is a process that is handled by the browser/application that is handling the certificate in the first place. When it connects to the application and is presented the certiticate, it first checks the Common Name (or SAN) to make sure the name of the server matches the certificate. After that, it does some other checks (not relevant for this question) and eventually gets to the CRL check.
The CRL check requires that the application reach out to the listed server hosting the CRL file (or OCSP server) to validate if the certificate presented is still valid. This means that not only do you have to properly sign the CRL with the issuing certificate, you also have to host the CRL file in a way for the clients to access it. If the CRL isn’t properly updated and signed, this would fail the CRL check in a way where the certificate is still valid.
Did you host the CRL in a location that is accessible to clients that would be checking the CRL in the first-place?
Attribution
Source : Link , Question Author : user3771120 , Answer Author : Andrew
