Retrieving Certificate Revocation Lists (CRLs)

Generating a certificate revocation list (CRL) is the method a Certificate Authority (CA) uses to maintain the validity of the certificates that it issues. A CRL contains a list of certificates (or more specifically, a list of serial numbers for certificates) that have been revoked or are no longer valid, and therefore should not be relied upon. The agent retrieves CRLs from CAs after specific events (such as joining a domain) and at specific intervals to determine which certificates, if any, have been revoked, and thus whether to request new certificates.

The current version of the Server Suite Agent only supports complete certificate lists, not delta CRLs, which only describe the updates since the complete list was published.

Generating a Certificate Revocation List (CRL)

A CRL is generated by a CA and contains a list of certificates to revoke from the list of certificates that the CA has issued.

Typically, a CA automatically generates a CRL at a specified interval, anywhere from two hours to one year, at which point the new CRL with the list of revoked certificates is available for clients to request.

The CRL itself contains the interval period, which allows clients, such as Server Suite Authentication Service, to determine when to request a new CRL. See Retrieving a certificate revocation list and verifying certificates for information about retrieving CRLs.

In addition to automatic generation of a CRL, an administrator can use specific Active Directory utilities that allow them to manually revoke certificates and publish a CRL on the CA. In this case, the CRL-publishing interval is reset so the next automatic publishing operation will occur in the appropriate amount of time.

Retrieving a Certificate Revocation List and Verifying Certificates

At specific times (when the UNIX system joins a domain, the administrator issues the adgpupdate command, or the group policy refresh interval occurs), the Server Suite Agent performs certain tasks, including determining whether to retrieve a CRL (Certificate Revocation List). Specifically, the agent does the following:

  • Identifies the CA that issued certificates for the system.

  • Looks at the refresh interval in the current CRL to determine whether to retrieve a new CRL.

  • If the interval has expired, retrieves a new CRL by using the IIS Web Server for the CA.

  • Verifies the currently issued certificates against the CRL and requests new certificates for certificates that have been revoked.

    When you manually revoke a certificate, it is possible that the certificate will appear as valid even after running the adgpupdate command to trigger an IPsec update. When you revoke a certificate, the Server Suite Agent first looks at the current CRL to determine the validity of the certificates that have been issued. In this case, the newly revoked certificate still appears as valid. Immediately afterward, because of the IPsec update, the agent requests a new CRL. The new CRL shows that the certificate in question is invalid, but the agent will not look at the new CRL until the next scheduled update, or until you run the adgpupdate command again. Therefore, to be certain to have current information, if you manually revoke certificates, you can issue the adgpupdate command twice in sequence.