One of the most important aspects in the design of a public key infrastructure (PKI) is certificate revocation or, more specifically, automated revocation checking. Certificate revocation ensures that the PKI system adds a certificate's serial number to a blacklist, called the certificate revocation list (CRL), when a PKI user's private key is compromised. Certificate revocation also guarantees that the PKI system efficiently distributes the revocation information to all PKI clients and PKI-enabled applications. If your PKI systems need to handle confidential or valuable information or transactions, you'll need to understand the process of revoking a certificate, Windows PKI-enabled application revocation checking support, and automated revocation-checking solutions. Let's begin by taking a closer look at CRLs.
Certificate Revocation Lists
The International Telecommunications Union Telecommunication Standardization Sector (ITU-T) X.509 standard and Internet Engineering Task Force (IETF) Request for Comments (RFC) 2459 define a CRL, which contains a timestamped list of revoked certificates that the Certification Authority (CA) signs and makes available to PKI users in a public repository. A CRL identifies each revoked certificate by its certificate serial number. The X.509 standard defines two primary types of CRLs: complete CRLs and delta CRLs.
Complete CRLs. In their most basic form, CRLs are known as complete CRLs (aka base CRLs or full CRLs). Complete CRLs tend to be huge because the revocation information accumulates over time. Although Windows CRLs support versioning, each new CRL version automatically inherits all revocation information from the preceding version. So, a CRL will grow in size until certificates start expiring. Also, with each new CRL version, the client must download the complete CRL, which isn't an efficient use of network bandwidth. As a result, many administrators configure longer CRL lifetimes to reduce the number of CRL versions. But long CRL lifetimes reduce the revocation information's timeliness because new revocation information isn't immediately available.
In Windows Server 2003, you can use delta CRLs, which I explain below, to get around the complete CRL deficiencies. To limit the size of complete CRLs in a Windows 2000 PKI environment, you can do one of three things:
- Define multiple CAs—If you define multiple CAs and each CA maintains its own CRL, the size of individual CRLs will be much smaller than the size of one CRL that one CA generates.
- Generate certificates with a short lifetime—Win2K CRLs are self-cleaning, which means that the CA automatically removes expired certificates from the CRL.
- Generate a new CA key pair—Every time the CA renews the key pair, it generates a new CRL. The CA will use the newly generated private key to sign the new CRL.
Both Windows 2003 and Win2K publish CRLs at regular intervals. With both OSs, a CA administrator can also force the publication of a new CRL. To configure complete CRL publication intervals, open the Microsoft Management Console (MMC) Certification Authority snap-in, right-click the Revoked Certificates container, and select Properties from the menu to display the Revoked Certificates container's Properties dialog box, which Figure 1 shows. You can force the publication of the CRL by right-clicking the Revoked Certificates container in the Certification Authority snap-in and selecting the All Tasks\Publish menu option. This action opens the Publish CRL dialog box, which will ask you to specify which type of CRL you want to manually publish: a new CRL (i.e., a complete CRL) or a delta CRL.
To view a CRL's contents and format, select the View CRLs tab in the Revoked Certificates container's Properties dialog box. When you click View CRL or View Delta CRL from the View CRLs tab, you'll see the built-in CRL viewer, which Figure 2 shows. The General tab shows the layout of a complete CRL that a Windows 2003 or Win2K CA issued. Notice the presence of some typical CRL extensions, including Effective date, Next update, CA Version, CRL Number, Next CRL Publish, Freshest CRL, and Published CRL Locations. Click the Revocation List tab in the same dialog box to view a list of the revoked certificates on a CRL.