I've recently setup a new domain joined Standalone CA on a Windows 2012 R2 server which is publicly accessible and authenticating fine, however, revoked certificates still appear to be authenticating. The actual server-side revoke process works fine as in the revoked certificate gets added to the CRL after publishing but the certificate still authenticates the client end.
I've added externally accessible CDP and AIA locations and have cleared the local CRL cache the client end using the following commands:
certutil -urlcache CRL delete
&
certutil -setreg chain\ChainCacheResyncFiletime @now
I'm aware of the minimum OS requirements for the last command. Clients are Windows 7 upwards.
I'm using a simple test app on the client that is configured to use the one certificate so if revoked would simply stop working but isn't the case in this instance. If I remove the certificate from local certificate stores then it does stop working so confident that it's dependant on this one certificate.
All web searches so far have led to the above commands and making sure the CDP is externally resolvable but I've covered those issues already.
I appreciate and advice
Thought it was worth reporting my findings.
Turns out that Windows was revoking the certificates but there was some local caching of the CRL taking place as is intended by design. It seems that even when the certificate is showing as revoked, a cached copy is still used regardless until a specific period has passed, however, from my understanding the two commands I ran in my initial post should have expired this and requested an up-to-date one from the server but doesn't appear to be the case.
I've introduced delta CRLs which have made troubleshooting must quicker and all seems fine now so false alarm ultimately.
Thanks for your advice Greg
I'm using a simple test app on the client that is configured to use the one certificate so if revoked would simply stop working.You need to verify the client is checking the CRL with a packet capture to your CRL on tcp/80. That would take five minutes.
If you want to validate that Windows CRL checking is working, you can use the following command on the client:
You also need to enable the CAPI2 event log, any CRL check failures will be logged there.
But the way an application uses and validates a certificate is not necessarily the same as how Windows would use and validate a certificate.