Reputation: 10055
Understanding Certificate Revocation Lists
Im trying to get my head around how Certificate Relocation Lists operate and how they update.
So say my server xyz.com has a certificate with a CRL Distribution Point configured as myissuer.com/thelist.crl
Now ive monitored the communication on my network using wireshark when connecting to xyz.com and i dont see any calls to myissuer.com to get the CRL.
So ive two questions:
When does the call to the CRL Distribution Point actually occur and how often?
If i download and install this CRL file manually does my client still try and connect to the configured CRL Distribution Point?
Upvotes: 1
Views: 432
Answers (1)
Reputation: 39241
When does the call to the CRL Distribution Point actually occur and how often?
The browser/client decides when to request the CRL. It could be "never"
If i download and install this CRL file manually does my client still try and connect to the configured CRL Distribution Point?
Usually yes, except if the client has its own cache with the CRL and the lifetime of the CRL has not expired.
What is not usual is that the client consults the system repository (e.g. windows keystore) to know if a crl is installed. Note that the CRL expires, so it's important to have an updated copy
See OCSP stapling if you want to optimize revocation checking for web sites https://en.wikipedia.org/wiki/OCSP_stapling
Upvotes: 2
Related Questions
- Extract properties from a CRL file using C#
- Programmatically installing certificate revocation list C#
- x509Certificate revocation check using RemoteCertificateValidationCallback in C#
- How to insert entries into a Certificate Revocation List
- Where are the Certificate Revocation List (CRL) stores?
- Certificate Revocation List c#
- Convert different certificate revocation list formats in .net
- How to check for revocation list only from the CRL?
- Certificate revocation list in LDAP
- X509Certificate2.Verify() method, validating against revocation list and performance implications of it