Applications Cert on the CRL List

Posted on 2012-08-24
Last Modified: 2012-09-04
We are planning to assign an application signing cert to our home grown apps.  Our home grown apps are not web or java based.  The apps run standalone.

Will an app continue to run if its cert goes on the CRL?

Would the app provide the standard cert warning, but then allow the user to accept the cert's warning and conintue to use the app?
Question by:epmmis
    LVL 77

    Assisted Solution

    by:David Johnson, CD, MVP
    Depends on the app and it's environment.

    Would the app provide the standard cert warning, but then allow the user to accept the cert's warning and conintue to use the app?

    It probably would not even know if the certificate has been revoked. It would probably object when you try and install it.. Experiment, is all that I can think of.
    LVL 29

    Assisted Solution

    by:Rich Weissler
    As ve3ofa says, it's up to the application, and some applications allow you to turn CRL checks off as well.
    LVL 60

    Accepted Solution

    To add, anti-malware or host firewall may (depend on config) use trusted publisher signed appl behaviour to prevent it from running. I still see signed package with publisher cert revoked same as there is not time-stamp/expired or unsigned appl - meaning can run but with many warning as mentioned. really depend like the experts shared.

    Did saw below from MS (if of interest) extract-

    Typically, Windows does not itself check the digital signature when running a locally-installed version of your program; it only checks the signature when the program bears a Mark-of-the-Web indicating that it was downloaded from the Internet or extracted from an archive downloaded from the Internet. However, executables written in .NET can be an exception to this. The .NET Framework has the ability to assign security permissions to code based on its signature, called “publisher evidence.” Doing so necessitates that the signature be verified, and verifying the signature may require an expensive network request to check the certificate for revocation. If you are not using the “publisher evidence” feature of .NET, you can modify your application’s manifest to indicate that .NET should not check the signature.

    Author Closing Comment

    The reference to the blog was spot on.  
    The other two answers added some clarity.
    Thanks all.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
    There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
    This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
    This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now