• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 734
  • Last Modified:

Applications Cert on the CRL List

We are planning to assign an application signing cert to our home grown apps.  Our home grown apps are not web or java based.  The apps run standalone.

Will an app continue to run if its cert goes on the CRL?

Would the app provide the standard cert warning, but then allow the user to accept the cert's warning and conintue to use the app?
3 Solutions
David Johnson, CD, MVPOwnerCommented:
Depends on the app and it's environment.

Would the app provide the standard cert warning, but then allow the user to accept the cert's warning and conintue to use the app?

It probably would not even know if the certificate has been revoked. It would probably object when you try and install it.. Experiment, is all that I can think of.
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
As ve3ofa says, it's up to the application, and some applications allow you to turn CRL checks off as well.
btanExec ConsultantCommented:
To add, anti-malware or host firewall may (depend on config) use trusted publisher signed appl behaviour to prevent it from running. I still see signed package with publisher cert revoked same as there is not time-stamp/expired or unsigned appl - meaning can run but with many warning as mentioned. really depend like the experts shared.

Did saw below from MS (if of interest) extract-


Typically, Windows does not itself check the digital signature when running a locally-installed version of your program; it only checks the signature when the program bears a Mark-of-the-Web indicating that it was downloaded from the Internet or extracted from an archive downloaded from the Internet. However, executables written in .NET can be an exception to this. The .NET Framework has the ability to assign security permissions to code based on its signature, called “publisher evidence.” Doing so necessitates that the signature be verified, and verifying the signature may require an expensive network request to check the certificate for revocation. If you are not using the “publisher evidence” feature of .NET, you can modify your application’s manifest to indicate that .NET should not check the signature.
epmmisAuthor Commented:
The reference to the blog was spot on.  
The other two answers added some clarity.
Thanks all.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now