Link to home
Start Free TrialLog in
Avatar of Williams225

asked on

Windows Server : Revoked user certificate still works. How can I disable it completely

Hello Expert,

I am having an issue. I used Windows 2012 r2 Server, and some of our user certs got compromised.

So on my certification Manager (certificate authority server), I right click the compromised cert, and selected "revoke". Now the certs are revoked but they still work. 

Do you know if I missed a step? Please help.

Avatar of David Favor
David Favor
Flag of United States of America image

Remove it + restart server.
where is your certificate revocation list set to be? where is your AIA set to be? can all computers access this location?   use public location    i.e. http:\\\pki\crl and\pki\aia on a publicly facing web server
Avatar of Williams225


@davidjohnson I found the physical path of the certificate revocation list ? not sure  where is the AIA?
What do I do once I find both locations.

 http:\\\pki\crl and\pki\aia  didnt work for me

What will I need to do to completely deactivated the revoked cert
these locations crl/AIA are stored in the certificate.  Setting  up a CA rairely works well if you just keep clicking next ,next, next, done

Please read this whitepaper

I did not say that what I have configured for crl/ocsp/aia would work for y.  when you setup a Certificate Authority YOU have many decisions to make
here is the settings from the certificate for generated image
You may have mistyped as you should not have backslashes in http references. The other issue, not everything checks for revocation.

Where and how is this certificate being used? You could lockout the user or is the  certificate the only thing that is needed to affirm the user?
When you say a user's certificate has been compromised, does it mean the user shared their certificate with someone else?
I just saw the following error when I just checked all my revoked certs, how can I fix it, that might be the issue:

Revocation Status : The revocation function was unable to check revocation because the revocation server was offline.
User generated image

Look at the various outline option to access the CRL list, and confirm whether you can access it in that mode.

If the referenced server name for the http/HTTPS was retired, you would need to update DNS to point to another web server where you setup the path and export and load the CRL from the ......
Easy way... Remove it + restart server.

Also, revoking certs has no effect... until you bounce (stop + restart) all services using the cert.

I recently worked a project problem, where certs were correctly revoked + services where never restarted... so old cert persisted...

For me, I always remove all traces of certs + bounce services as the entire... revocation process seems... like useless effort...

If a cert shouldn't be used, best to nuke + be done with it... at least this has always worked for me, so I've never revoked any cert.
@david Favor,  I also deactivate the certs from my "Personal Store", they are already revoked. I also published the new CRL and reboot the server.
Nothing changed, users are still able to use their revoked cert.

@arnold . The certificate is an internal certificate used to access an application. The cert is  the only thing needed to access the application.

Check whether you added the certificate on the IIS side security where the certificate is set to represent the connection as coming from a user.

much depends on how the certificate requirement is configured.
so where does the crl point to .. a default installation it points to the ca server windows directory (that is not shared)
The certificate has the CRL path
@david Johnson the crl point to  a default installation (the ca server windows directory (that is not shared)).
@david Johnson thank you so much for these links.

I have a question. The app server where users use certificates to authenticate is a linux server. If I find a way to import the crl to this app server can it solve this problem?

if yes do you know in which location I should upload this crl
I do not think by default the Apache HTTPd check to validate the client certificate if presented.
you may have to enable the various checks on the web server.

not sure whether you can add the CRL.pem file to invalidate the user's ...

Do you have a certificate as the sole validation, no user/password?
My only suggestion is to tear down and rebuild from scratch and fix your ADCS and do it right the next time. if you have root and issuing ca's you could use another issuing CA setup properly
Avatar of arnold
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial