7.5.3 CRL FACTS
Certificate revocation - ANSWER-Certificate revocation is the process of breaking the
bond of a public key pair to a specific individual. Revocation occurs when the end entity
falls out of the scope of trust of the PKI system. Situations in which a digital certificate
would be revoked are:
-The subject (either a person or the computer) identity changes, such as the changing
from a maiden name to a married name.
-An organization sells a division or changes it name.
-The subject of the certificate leaves the company or is no longer trusted for some
reason.
-A compromise, such as a private key is discovered by a hacker or a laptop with PKI-
enabled application is lost or stolen.
Be aware of the following certificate revocation - ANSWER--In the certificate Authority
console, when you revoke a certificate, it is moved to the Revoked Certificate folder.
-You must indicate a reason when you revoke the certificate
-Certificates that have been revoked with Certificate Hold as the reason can be
unrevoked (reinstated). You cannot unrevoke certificate that have been revoke for any
other reason.
-The CA uses certificates in this folder to build the certificate revocation list (CRL).
-Revoked certificates are published in a list called the Certificate Revocation List(CRL).
The CRL contains a list of all certificates issued by the CA that have been revoked.
CRL Facts - ANSWER--When the CA issues a certificate, the CRL distribution points
are included in the certificate.
-When a client computer is presented with a new certificate, it checks the CRL to see if
the certificate is still valid.
-The client uses the CDP information in the certificate to locate the CRL.
-The client downloads the entire CRL and any delta CRLs.
-Each CRL and delta CRL includes a property that identifies how long it is valid. This
period is based on the publishing interval configured on the CA.
-When a client needs to check the validity of a certificate, it first checks its cached copy
of the CRL or delta CRLs.
-If the CRL is still not valid, that information is used to validate the certificate.
-If the CRL is not valid, a new CRL or new delta CRL is downloaded.
-When a client needs to download a CRL, it tries the first location in the CDP list. If it
cannot get a CRL from the location, it tries the next location, until a CRL is found or all
locations are checked.
Four areas where the CRL is usually published are - ANSWER--ON the issuing CA (by
default in the C:\\Windows\system32\Certsrv\CertEnroll directory)
-To a file
Certificate revocation - ANSWER-Certificate revocation is the process of breaking the
bond of a public key pair to a specific individual. Revocation occurs when the end entity
falls out of the scope of trust of the PKI system. Situations in which a digital certificate
would be revoked are:
-The subject (either a person or the computer) identity changes, such as the changing
from a maiden name to a married name.
-An organization sells a division or changes it name.
-The subject of the certificate leaves the company or is no longer trusted for some
reason.
-A compromise, such as a private key is discovered by a hacker or a laptop with PKI-
enabled application is lost or stolen.
Be aware of the following certificate revocation - ANSWER--In the certificate Authority
console, when you revoke a certificate, it is moved to the Revoked Certificate folder.
-You must indicate a reason when you revoke the certificate
-Certificates that have been revoked with Certificate Hold as the reason can be
unrevoked (reinstated). You cannot unrevoke certificate that have been revoke for any
other reason.
-The CA uses certificates in this folder to build the certificate revocation list (CRL).
-Revoked certificates are published in a list called the Certificate Revocation List(CRL).
The CRL contains a list of all certificates issued by the CA that have been revoked.
CRL Facts - ANSWER--When the CA issues a certificate, the CRL distribution points
are included in the certificate.
-When a client computer is presented with a new certificate, it checks the CRL to see if
the certificate is still valid.
-The client uses the CDP information in the certificate to locate the CRL.
-The client downloads the entire CRL and any delta CRLs.
-Each CRL and delta CRL includes a property that identifies how long it is valid. This
period is based on the publishing interval configured on the CA.
-When a client needs to check the validity of a certificate, it first checks its cached copy
of the CRL or delta CRLs.
-If the CRL is still not valid, that information is used to validate the certificate.
-If the CRL is not valid, a new CRL or new delta CRL is downloaded.
-When a client needs to download a CRL, it tries the first location in the CDP list. If it
cannot get a CRL from the location, it tries the next location, until a CRL is found or all
locations are checked.
Four areas where the CRL is usually published are - ANSWER--ON the issuing CA (by
default in the C:\\Windows\system32\Certsrv\CertEnroll directory)
-To a file
