An entry is added to the CRL as part of the next update following notification of revocation.
An entry may be removed from the CRL after appearing on one regularly scheduled CRL issued beyond the revoked certificate's validity period Note: The ability to remove an entry from the CRL is only available if the certificate was revoked with the reason "Certificate Hold." Windows 2000 and Microsoft Windows Server 2003 allow you to implement a Public Key Infrastructure (PKI) using Certificate Services.
This method involves each CA periodically issuing a signed data structure called a certificate revocation list (CRL).
A CRL is a time stamped list identifying revoked certificates, which is signed by a CA and made freely available in a public repository.
Under such circumstances, the CA needs to revoke the certificate.
This information potentially includes URL locations where the issuing CA's certificate can be retrieved, as well as a location of an OCSP Responder configured to provide status for the certificate in question.Acknowledgements Introduction Certificate Status Checking Certificate Revocation Lists Delta CRLs Crypto API Functions Application Revocation Checking Walkthroughs Troubleshooting For More Information Appendix A – Certificate and Certificate Chain Status Codes Appendix B - Cross Certificate Distribution Points Trevor Freeman, Program Manager, Microsoft Corporation Sergio Dutra, Software Design Engineer, Microsoft Corporation Carsten Kinder, Senior Consultant, Microsoft Consulting Services For certificate status to be determined, a Public Key Infrastructure (PKI), certificate revocation information must be made available to individuals, computers, and applications attempting to verify the validity of certificates.Traditionally a PKI uses a distributed method of verification so that the clients do not have to contact the Certification Authority (CA) directly to validate the credentials presented.By matching the information in a certificate's AKI extension to a CA certificate's Subject Key Identifier (SKI) extension a certificate chain can be built. A certificate extension that indicates where the certificate revocation list for a CA can be retrieved.This extension can contain multiple HTTP, FTP, File or LDAP URLs for the retrieval of the CRL. A method of restricting certificates chaining to a designated CA for limited time periods or usages. In a Windows Server 2003 network, qualified subordination is the preferred method for restricting certificate usage between organizations. A digitally signed list issued by a Certification Authority (CA) that contains a list of certificates issued by the CA that have been revoked.Certificate Services incorporate industry-standard X509 v3 CRLs to distribute information about certificate revocation status.The CRLs can be published to Web servers, SMB file servers, FTP servers or to Active Directory using LDAP.The PKI provides validation of certificate-based credentials and ensures that the credentials are not revoked, corrupted, or modified. A certificate extension included in CA certificates that contains a hash of the CA certificate's public key.This hash is placed in the Authority Key Identifier (AKI) extension of all issued certificates to facilitate chain building. Certificate chaining is defined as the trust validation of an x.509 certificate as it is compared to a trust anchor such as a root certificate.The listing includes the serial number of the certificate, the date that the certificate was revoked, and the revocation reason.Applications can perform CRL checking to determine a presented certificate's revocation status. A protocol that allows real-time validation of a certificate's status by having the Crypto API make a call to an OCSP responder and the OCSP responder providing an immediate validation of the revocation status for the presented certificate.