Revocation of a certificate invalidates a certificate as a trusted security credential prior to the scheduled expiration of its validity period. A public key infrastructure (PKI) depends on distributed verification of credentials in which there is no need for direct communication with the central trusted entity that vouches for the credentials.
To effectively support certificate revocation, the client computer must determine whether the certificate is valid or has been revoked. To support a variety of scenarios, Active Directory Certificate Services supports industry-standard methods of certificate revocation. These include publication of certificate revocation lists (CRLs) and delta CRLs in several locations for clients to access, including Active Directory Domain Services, Web servers, and network file shares. In Windows, revocation data can also be made available in a variety of settings through Online Certificate Status Protocol (OCSP) responses.
Note | |
CRLs are published to specified network locations on a periodic basis where they can be downloaded by client computers. OCSP responses are digitally signed responses indicating whether an individual certificate has been revoked or suspended, or if its status is unknown. OCSP responders get their data from published CRLs, or they can be updated directly from the certificate status database of a certification authority (CA). |
In addition, public key Group Policy allows administrators to enhance the use of CRLs and OCSP responders, particularly in situations where extremely large CRLs or network conditions detract from performance.
This topic includes procedures for the following tasks:
Configuring revocation settings on a local computer
Administrators is the minimum group membership required to complete this procedure.
To configure revocation settings on a local computer |
-
Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.
-
In the console tree under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings, click Public Key Policies.
-
Double-click Certificate Path Validation Settings, and then click the Revocation tab.
-
Select the Define these policy settings check box, select the policy settings that you want to apply, and then click OK to apply the new settings.
Configuring revocation settings for a domain
Domain Admins is the minimum group membership required to complete this procedure.
To configure revocation settings for a domain |
-
Click Start, point to Administrative Tools, and click Server Manager.
-
Under Features Summary, click Add Features. Select the Group Policy Management check box, click Next, and then click Install.
-
After the Installation Results page shows that the installation of the Group Policy Management Console (GPMC) was successful, click Close.
-
Click Start, point to Administrative Tools, and then click Group Policy Management.
-
In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.
-
Right-click the Default Domain Policy GPO, and then click Edit.
-
In the console tree under Computer Configuration\Windows Settings\Security Settings, click Public Key Policies.
-
Double-click Certificate Path Validation Settings, and then click the Revocation tab.
-
Select the Define these policy settings check box, select the policy settings that you want to apply, and then click OK to apply the new settings.
Extending the validity period for CRL and OCSP responses for a local computer
Administrators is the minimum group membership required to complete this procedure.
To extend the validity period for CRL and OCSP responses for a local computer |
-
Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.
-
In the console tree under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings, click Public Key Policies.
-
Double-click Certificate Path Validation Settings, and then click the Revocation tab.
-
Select the Define these policy settings check box, and then select the Allow CRL and OCSP responses to be valid longer than their lifetime check box.
-
In the Default time the validity period can be extended box, enter a value of time (in hours), and then click OK to apply the new settings.
Extending the validity period for CRL and OCSP responses for a domain
Domain Admins is the minimum group membership required to complete this procedure.
To extend the validity period for CRL and OCSP responses for a domain |
-
Click Start, point to Administrative Tools, and click Server Manager.
-
Under Features Summary, click Add Features. Select the Group Policy Management check box, click Next, and then click Install.
-
After the Installation Results page shows that the installation of the GPMC was successful, click Close.
-
Click Start, point to Administrative Tools, and then click Group Policy Management.
-
In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy GPO that you want to edit.
-
Right-click the Default Domain Policy GPO, and then click Edit.
-
In the console tree under Computer Configuration\Windows Settings\Security Settings, click Public Key Policies.
-
Double-click Certificate Path Validation Settings, and then click the Revocation tab.
-
Select the Define these policy settings check box, and then select the Allow CRL and OCSP responses to be valid longer than their lifetime check box.
-
In the Default time the validity period can be extended box, enter a value of time (in hours), and then click OK to apply the new settings.
Additional references