IE CRL check FAIL…
March 2nd, 2011
Just follow the steps below:
1. IE setting for CRL checking of the server certificate is enabled
2. Set the hostnames of servers hosting the CRL and /or OCSP to 127.0.0.1 in your hosts file
3. Execute [certutil.exe -urlcache * delete] to remove all cached CRLs
4. Start your browser and tell it to HTTPS:// to the site
5. It will take some time trying to check the CRL/OCSP from the non-existing server
6. After that you are on the site without any warnings! Not really what I expected?!
Firefox gives the same results and only Google Chrome gives us a warning…
What if the same happens with Code Signing? Interesting case we have!
/Hasain
I was actually just testing this scenario but with smartcard logon in Win7, and the same thing happens 😉 You get logged in without crl verification. Certutil -verify clearly states that the crlserver is offline….
Now with rdp it works as expected, almost. rdp requires crl even though crl is not critical or even present in the certificate.
For the Smart Card Logon, the KDC require strong revocation check and the logon fail of the CRL is not available.
The RDP client require strong revocation check for the RDS server certificate by design offering strong authentication of RDS server identity, should be the same for all clients whenever possible!