Avatar of Williams225
Williams225
 asked on

Windows Server : Revoked user certificate still works. How can I disable it completely

Hello Expert,


I am having an issue. I used Windows 2012 r2 Server, and some of our user certs got compromised.


So on my certification Manager (certificate authority server), I right click the compromised cert, and selected "revoke". Now the certs are revoked but they still work. 


Do you know if I missed a step? Please help.

Windows OSWindows Server 2012* certificate servicesActive Directory* active directory certificate service

Avatar of undefined
Last Comment
arnold

8/22/2022 - Mon
David Favor

Remove it + restart server.
David Johnson, CD

where is your certificate revocation list set to be? where is your AIA set to be? can all computers access this location?   use public location    i.e. http:\\domain.name\pki\crl and http://domain.name\pki\aia on a publicly facing web server
Williams225

ASKER
@davidjohnson I found the physical path of the certificate revocation list ? not sure  where is the AIA?
What do I do once I find both locations.

 http:\\domain.name\pki\crl and http://domain.name\pki\aia  didnt work for me

What will I need to do to completely deactivated the revoked cert
Your help has saved me hundreds of hours of internet surfing.
fblack61
David Johnson, CD

these locations crl/AIA are stored in the certificate.  Setting  up a CA rairely works well if you just keep clicking next ,next, next, done

Please read this whitepaper https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc700843(v=technet.10)?redirectedfrom=MSDN

I did not say that what I have configured for crl/ocsp/aia would work for y.  when you setup a Certificate Authority YOU have many decisions to make
here is the settings from the certificate for docs.microsoft.com2021-10-19_18-07-10.png
arnold

You may have mistyped as you should not have backslashes in http references. The other issue, not everything checks for revocation.


Where and how is this certificate being used? You could lockout the user or is the  certificate the only thing that is needed to affirm the user?
When you say a user's certificate has been compromised, does it mean the user shared their certificate with someone else?
Williams225

ASKER
I just saw the following error when I just checked all my revoked certs, how can I fix it, that might be the issue:

Revocation Status : The revocation function was unable to check revocation because the revocation server was offline.



Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
arnold

Look at the various outline option to access the CRL list, and confirm whether you can access it in that mode.

If the referenced server name for the http/HTTPS was retired, you would need to update DNS to point to another web server where you setup the path and export and load the CRL from the ......
David Favor

Easy way... Remove it + restart server.

Also, revoking certs has no effect... until you bounce (stop + restart) all services using the cert.

I recently worked a project problem, where certs were correctly revoked + services where never restarted... so old cert persisted...

For me, I always remove all traces of certs + bounce services as the entire... revocation process seems... like useless effort...

If a cert shouldn't be used, best to nuke + be done with it... at least this has always worked for me, so I've never revoked any cert.
Williams225

ASKER
@david Favor,  I also deactivate the certs from my "Personal Store", they are already revoked. I also published the new CRL and reboot the server.
Nothing changed, users are still able to use their revoked cert.

@arnold . The certificate is an internal certificate used to access an application. The cert is  the only thing needed to access the application.

I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
arnold

Check whether you added the certificate on the IIS side security where the certificate is set to represent the connection as coming from a user.

much depends on how the certificate requirement is configured.
...
David Johnson, CD

so where does the crl point to .. a default installation it points to the ca server windows directory (that is not shared)
The certificate has the CRL path
Williams225

ASKER
@david Johnson the crl point to  a default installation (the ca server windows directory (that is not shared)).
 
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
David Johnson, CD

Williams225

ASKER
@david Johnson thank you so much for these links.

I have a question. The app server where users use certificates to authenticate is a linux server. If I find a way to import the crl to this app server can it solve this problem?

if yes do you know in which location I should upload this crl
arnold

I do not think by default the Apache HTTPd check to validate the client certificate if presented.
you may have to enable the various checks on the web server.

not sure whether you can add the CRL.pem file to invalidate the user's ...

Do you have a certificate as the sole validation, no user/password?

https://httpd.apache.org/docs/current/mod/mod_ssl.html
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
David Johnson, CD

My only suggestion is to tear down and rebuild from scratch and fix your ADCS and do it right the next time. if you have root and issuing ca's you could use another issuing CA setup properly
ASKER CERTIFIED SOLUTION
arnold

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question