How XP deals with Revocation Lists...

batsona · 12th January 2009

Can someone point me toward a whitepaper, or article that describes how Windows deals with Certerficate Revocation Lists? (CRLs) Or, can someone briefly describe it?

Briefly, here's my scenario: I am running an Enterprise Patch Management system, "PatchLink", by a company called Lumension. The managed clients 'check in' with the server periodically. They do this over HTTPS, which utilizes an SSL certificate. Now, the corresponding CRL for the SSL certificate must be current, or the check-in fails.

My big question, is that when the CRL expires, how is a new copy downloaded? Does the OS itself initiate this, or does the application have a way of doing this? If the application does it, then they're the issue of proxy. The Managed Clients are on a protected network with no direct Internet access, but there is a SOCKS proxy. Anything that routes thru IE, or can be made to use "Window's Proxy Settings" will work, but if [whatever] requests the proxy can't be made to user the browser's proxy settings, then the Managed Client can't get out to the Internet to find an updated CRL.

In this case, an admin has to go to the machine once a week, and manually install a CRL. My last issue, is that when a Managed Client is a Win2K3 system, it checks the CRL, and if its expired, the client doesn't check in anymore. XP machines pretty much check in all the time, but just recently I have a few that stop checking in once the CRL expires. I bet its a setting with the PatchLink client, and not inside Windows, that causes this checking to occur.

Anyway, If I understand more about how Windows deals with CRLs, i'll be better equiped to solve this problem...

Thanks!

**Arie** · 12th January 2009

Here's a white paper from Microsoft's TechNet: Certificate Revocation and Status Checking

Not my expertise, I just know what/where to look