Revocation
Field Report – Stop REACTING to Expired CRLs
In this article, I continue to dig into how we are changing the world of PKI administration with PKI Spotlight. One of the most common issues organizations face around the world is due to expired Certificate Revocation Lists (CRLs). If you’re not already familiar, Certificate Authorities (CA) are not involved in the moment-to-moment verification of…
Read MoreCrafting a dummy certificate with specific serial number in Microsoft ADCS
Today I went through a thread on Twitter with claims that there is no supported way to revoke a rogue certificate with known serial number in Microsoft CA. TL;DR skip to next section The long story short: the thread originally was focused on an OCSP deterministic response support. The idea behind this is that by…
Read MoreOCSP Magic Number
The magic number is a value that states when CRLs will be processed over OCSP, specifically it is when the total number of cached OCSP responses from a single OCSP responder URL on behalf of a single certificate authority will stop performing OCSP and start processing CRLs. This will occur if the number of cached…
Read MoreIgnore Revocation Checking – The bane of my existence!
As students in my PKI training classes know, one of the areas I am a vocal about is the blind use of the CRLF_REVCHECK_IGNORE_OFFLINE setting in a PKI environment. I am so adamantly against the use of this setting, I personally refuse to ever explicitly share or type the syntax to enable this nasty beast.…
Read MoreWhat Your Browser Doesn’t Tell You Can Hurt You – Revocation and Internet Explorer
One of the topics I have been using as an example of revocation checking behavior in my PKI In-Depth class is the interesting case of Internet Explorer (IE) and its revocation behavior. Let’s take a moment and have you think about your assumption of how IE is behaving when you go to a HTTPS (SSL/TLS)…
Read More