Using the Certificate Revocation List (CRL)

What is a Certificate Revocation List (CRL)?

The Certificate Revocation List is a file containing revoked certificates issued by a specific root or intermediate certificate. The revocation of the underlying intermediate or issuer certificates is announced in a CRL for the root certificate. (so-called Certificate Authority Certificate Revocation List – CARL) the revocation of the end user certificate is documented in a CRL for an issuer certificate.

Revoked certificates that have already expired can be removed from the CRL – standard-compliant software no longer allows a valid signature (verification) with them. If expired certificates are retained in the CRL, this fact is indicated by the CRL extension expiredCertsOnCrl (OID: 2.5.29.60).

Where the CRL can be obtained from is entered in the individual certificates. This is the X509v3 extension CRL Distribution Point, typically with an http URL to a .crl file.

The CRL files are re-published by GLOBALTRUST whenever a change has been made (i.e. another certificate has been revoked) or when the validity period of the CRL has expired. This guarantees that the CRL is always up to date.

How are CRLs to be interpreted?

A certificate entered in the CRL loses its validity at the time of entry. The signer may no longer use the certificate. However, invoices or documents signed up to this point remain valid. Individual programs sometimes bring misleading messages here, claiming “The signature is invalid because the certificate has been revoked.” However, these messages are not RFC5280 compliant. Correctly working products should therefore be used for sensitive applications.

Which point in time is used?

The time of the certification body is binding. To synchronize the time, GLOBALTRUST also offers the time stamp service GLOBALTRUST QUALIFIED TIMESTAMP, which guarantees that an electronic signature was made at a specific point in time.

Order your Globaltrust Qualified Timestamp now

CRL Extension for Revocation Reasons

RFC5280 offers the possibility to enter the reason for the certificate revocation in the reasonCode extension for informational purposes. This is intended to allow software vendors to react differently to revoked certificates depending on the severity – for example, the revocation reason cessationOfOperation allows an end user to override a mere warning; in the case of a key compromise (key compromise), a “hard fail” inevitably follows. The mechanism was taken up relatively late and is currently still under development, for example in the area of ​​web browser manufacturers.

Can a revocation be undone?

It is possible to enter a certificate in a CRL from the outset with the reason code “certificateHold”. This has the effect that the entry can be subsequently removed from the CRL. Usually one does not speak of revocation, but of suspension. If no decision is made within 10 days of the suspension being entered, the suspension automatically turns into a final revocation.

The suspension is particularly suitable as a precautionary measure if, for example, a key compromise is suspected – a signature creation unit that was thought lost could be found again, etc.

What must the user of the CRL pay attention to?

Basically, the CRL is automatically requested by the certificate store management and managed locally by the user. Usually, the updated CRL files are automatically requested and updated only after the validity date specified in the CRL has expired. This can mean that a user mistakenly interprets a signed document as correctly signed, even though it is signed with an expired certificate that does not yet contain its local CRL.

To prevent this situation, some certificate administrations offer to update the CRL with every signature verification, while others require the CRL to be updated manually. Other certificate administrations expect you to delete the locally stored CRL and these certificate administrations then automatically retrieve the new CRL. Which variant, the certificate management, your application (your program) uses must be taken from the documentation and cannot be supported by GLOBALTRUST (if in doubt, contact the manufacturer directly). In all cases, however, a connection to the Internet is required.

Due to the wide distribution, GLOBALTRUST has compiled the CRL information from Microsoft Support for Microsoft Windows (see below). No guarantee can be given for the correctness and validity of your computer installation.

Certificate Revocation List (CRL) on Microsoft Windows

In principle, a new CRL is only downloaded from Microsoft operating systems if the validity period entered in the existing CRL has expired or if there is no CRL at all.

Under Microsoft, CRLs are stored in 3 different locations:

• in the main memory of the computer,
• in the Microsoft certificate store and
• in “Temporary Internet Files”

In order to remove CRLs from the “temporary Internet files”, they must be completely deleted using Microsoft Internet Explorer.

In order to remove existing CRLs and force an update of the CRL, Microsoft offers extensive information on CRL management in an article (http://www.microsoft.com/technet/prodtechnol/winxppro/support/tshtcrl.mspx#EDAA). This article also contains a VisualBasic Script to remove outdated CRL’s. Further questions on the administration of CRLs should be queried directly from Microsoft support.

In order to remove CRLs from main memory, a restart of the application that uses the CRL or a restart of the operating system is required.
CRLs can be removed from the Microsoft certificate store with the Microsoft Management Console mmc.exe using the Certificates snap-in.
Start → Run → mmc → Console → Add/Remove Snap-In → Add → Certificates → Add → My User Account → Finish → Close → OK
CRLs that are entered in the certificate list can then be deleted. We recommend saving the console settings.