How to fetch CRLs from distribution points

http://support.microsoft.com/kb/289749

Q1: What is a Certificate Revocation List (CRL), and what is a CRL Distribution Point (CDP)?A1: A CRL is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. A CRL file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.A CDP is the location where you can download the latest CRL. A CDP is typically listed in the CRL Distribution Points field of the Details tab of the certificate. It is common to list multiple CDPs that use different access methods to make sure that programs, such as Web browsers and Web servers, can always obtain the latest CRL.The following are examples of CDP entries: 
[1]CRL Distribution Point            Distribution Point Name:Full Name:URL=ldap:///CN=SecTestCA1,CN=SECTESTCA1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=rte,DC=microsoft,DC=com?certificateRevocationList?base?objectclass=cRLDistributionPoint[2]CRL Distribution Point            Distribution Point Name:Full Name:URL=http://sectestca1.rte.microsoft.com/CertEnroll/SecTestCA1.crl[3]CRL Distribution Point            Distribution Point Name:Full Name:URL=file://\\sectestca1.rte.microsoft.com\CertEnroll\SecTestCA1.crl
Q2: When does IIS 5.0 retrieve a CRL?

A2: Each CRL has an effective date. The effective date is also referred to as the "next update" or the "validity period." IIS 5.0 retrieves a CRL only if one of the following conditions is true: 
The CRL of the certificate is not contained in the IIS 5.0 cache.
The effective date of the CRL in the IIS 5.0 cache has passed. 
Q3: If the certificate contains several CRL Distribution Points, does IIS 5.0 retrieve the CRL from each location?

A3: No. Only the first, or top, location is used. If unsuccessful, IIS 5.0 tries the next CRL distribution point.

Q4: Are the contents of each CRL at each CRL distribution point downloaded and combined?

A4: No. Only one CRL is downloaded.

Q5: Are CRLs stored on the computer that is running IIS 5.0?

A5: Yes. However, any consequences that result from the manipulation of the CRL are not supported by Microsoft Product Support Services.
Q6: How are CRLs identified? That is, what extension do CRL files use?

A6: CRLs use a .crl extension. For example, CRLFileName[1].crl. 

Note The FileName is listed in the CRL distribution point on the certificate.

Q7: What occurs if IIS 5.0 cannot find one of the CRLs?

A7: By default, IIS 5.0 fails if the CRL of a certificate cannot be accessed. Therefore, multiple paths and protocols are used to the same CRL distribution point. For example, the following protocols and paths are used in the URL of a CRL distribution point: 
HTTP
Lightweight Directory Access Protocol (LDAP)
File
Q8: What error message appears in the Web browser if an effective CRL cannot be obtained? Is the same error message displayed if the CRL is obtained and if the certificate is revoked?

A8: Yes, you receive the same error message in both scenarios. You receive the following error message: 
HTTP 403.13 Forbidden: Client certificate revoked 

The page requires a valid client certificate

Q9: You experience one of the following symptoms: 
You make the CRL unavailable. However, IIS does not retrieve a new CRL and does not appear to fail.
You revoke a certificate and republish the CRL. However, IIS 5.0 still lets users locate a Web site by using the revoked certificate.
A9: Both these scenarios are related to the same issue. IIS 5.0 still uses a cached CRL that has not passed its effective date. For more information, see "Q2: When does IIS 5.0 retrieve a CRL?”.

Q10: Is it possible to force the cached CRL to update?

A10: You cannot force the cached CRL to update. The CRL has an expiration date. When the CR expires, the CRL is renewed. 

All certificates are stored in the cache when the certificates are selected from a store or from a URL. The only difference is the location where the cached certificates are stored. Certificates can be stored in the following locations: 
Memory 

All retrieved certificates are cached in memory.
CA Store

All certificates that are retrieved from any WinInet-supported URLs, such as HTTP, FTP, LDAP, and FILE by using the Authority Information Access (AIA) extension are cached in the CA store.
Local file system

If the retrieval URL is ldap://, ftp://, or http://, the certificate or CRL is also cached by WinInet in the local file system. The cache is stored in the Documents and Settings\UserName\Local Settings\Temporary Internet Files folder.
For additional information about certificates and about caching, visit the following Microsoft Web site: 
http://www.microsoft.com/technet/prodtechnol/winxppro/support/tshtcrl.mspx 
(http://www.microsoft.com/technet/prodtechnol/winxppro/support/tshtcrl.mspx) 
Back to the top | Give Feedback
MORE INFORMATION
Q12: Can IIS 5.0 perform "real time" CRL checking?

A12: No. IIS 5.0 uses the CRL in the cache until the CRL expires. The lowest validity period for a CRL that is published by Microsoft Certificate Services is one hour. You can delete the CRL from the cache to force the retrieval of a new CRL. However, the new CRL still has the same validity period. 
Back to the top | Give Feedback
REFERENCES
For more information about Internet X.509 Public Key Infrastructure Certificate and CRL profile, visit the following Internet Engineering Task Force (IETF) Web site:

Request for Comments (RFC) 2459 
http://www.ietf.org/rfc/rfc2459.txt?number=2459 
(http://www.faqs.org/rfcs/rfc2459.html) 
Back to the top | Give Feedback
Properties
Article ID: 289749 - Last Review: November 21, 2006 - Revision: 8.1
APPLIES TO
Microsoft Internet Information Services 5.0
Keywords:  
kbtshoot kbfaq kbinfo KB289749
Retired KB Content Disclaimer 
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
 

LDAP for the Java Net URL Framework 

Part II: How to fetch CRLs from distribution points
By Dieter.Bratko@iaik.tugraz.atAugust 2006 
Introduction
Unless the growing popularity of the Online Certificate Status Protocol (OCSP), certificate revocation lists (CRLs) are still most commonly used for providing revocation information about X.509 certificates. CRLs are publicly available from distribution points like HTTP or LDAP servers. A certificate usually contains a CRLDistributionPoints extension with a link to the location from where the corresponding crl can be obtained. You might think that is simple and straightforward to follow the link and download a crl from its distribution point. However, a CRLDistributionPoints extension may be structured in different ways making it already difficult to filter the information from where to get the revocation list. 
This article shows how you can let IAIK JCE do all the basic work for you to easily download a certificate revocation list from its distribution point. We first give a brief description of the CRLDistributionPoints certificate extension. Then we provide an example showing how to use IAIK-JCE for downloading a crl based on the information contained in the CRLDistributionPoints extension. 
The CRLDistributionPoints extension 
This chapter provides a short description of the CRLDistributionPoints extension. It should give you a feeling of the several possibilities how revocation information maybe linked. You may skip this section; understanding of the CRLDistributionPoints extension structuring is not absolutely required for using IAIK-JCE to download a crl from its distribution point. 
The X.509 PKI and CRL profile defines the CRLDistributionPoints extension as ASN.1 SEQUENCE of DistributionPoint objects (see RFC 3280), each of which pointing to a location from where a CRL can be obtained: 
CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint DistributionPoint ::= SEQUENCE { distributionPoint [0] DistributionPointName OPTIONAL, reasons [1] ReasonFlags OPTIONAL, cRLIssuer [2] GeneralNames OPTIONAL } 
DistributionPointName ::= CHOICE { fullName [0] GeneralNames, nameRelativeToCRLIssuer [1] RelativeDistinguishedName } 
ReasonFlags ::= BIT STRING { unused (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6), privilegeWithdrawn (7), aACompromise (8) } 
The DistributionPointName field of each DistributionPoint may be a fullName of type GeneralNames or an RDN relative to the crl issuer distinguished name (DN). In the first case the fullName field may represent a URI that points to the location from which to get the CRL. In the second case – if nameRelativeToCRLIssuer is set – the specified RDN has to be appended to the DN of the crl issuer. The DN of the crl issuer may be given in the cRLIssuer field of the distribution point, or – if cRLIssuer is not present – may be the DN of the certificate issuer. The cRLIssuer field only must be present if the corresponding crl is an indirect crl where the issuer of the crl is not the same as the issuer of the certificate for which revocation information shall be obtained.The scope of each crl can be limited to some of the reasons given in the optional ReasonFlags component. 
Downloading a CRL from a distribution point 
Fortunately most commonly CRL distribution points refer to a (HTTP or LDAP) URL. Since LDAP by default is not supported by the java.net URL implementation – see Part 1 of this two-part article series – you first will have to register the IAIK-JCE LDAP protocol handler if you want to be able to get CRLs from LDAP distribution points: 
System.getProperties().put("java.protocol.handler.pkgs", "iaik.x509.net"); 
To get a CRLDistributionPoints extension from an X509Certificate object, call method getExtension with the OID of the CRLDistributionPoints extension: 
X509Certificate cert = …; CRLDistributionPoints cRLDPs = (CRLDistributionPoints)cert.getExtension(CRLDistributionPoints.oid); 
Since more than only one DistributionPoint may be included, you must get an Enumeration of the DistributionPoint elements contained in the CRLDistributionPoints extension: 
Enumeration e = cRLDistributionPoints.getDistributionPoints(); 
Now step through the enumeration and call method loadCrl of each DistributionPoint object to download the crl from the location the dp points to: 
while (e.hasMoreElements()) { DistributionPoint dp = (DistributionPoint)e.nextElement(); // download crl X509CRL crl = dp.loadCrl(); } 
If you want to be sure that a particular distribution point actually refers to a URI you may call method containsUriDpName before downloading a crl. 
Summing up the following source code fragment will download all CRLs from the distribution points of a CRLDistributionPoints extension that refer to a URL: 
// register IAIK-JCE LDAP protocol handler System.getProperties().put("java.protocol.handler.pkgs", "iaik.x509.net"); // get CRLDistributionPoints extension from a certificate X509Certificate cert = …; CRLDistributionPoints cRLDPs = (CRLDistributionPoints)cert.getExtension(CRLDistributionPoints.oid); // get and step trough all distribution points Enumeration e = cRLDistributionPoints.getDistributionPoints(); while (e.hasMoreElements()) { DistributionPoint dp = (DistributionPoint)e.nextElement(); If (dp. containsUriDpName()) { // download crl X509CRL crl = dp.loadCrl(); } } 
If you have to deal with a distribution point that does not refer to a (HTTP or LDAP) URL, but uses the nameRelativeToCRLIssuer choice described in chapter 2, you may have to know the LDAP server URL (and maybe crl/certificate issuer DN) in advance. In this case use method loadCrl(String ldapUrl, Name crlIssuer) to download the revocation list (see IAIK-JCE Javadoc for more information). However, usually this is not required since most CAs use the fullName URL option to point to the location from where to get the CRL. 
Summay 
This article shows how to use IAIK-JCE to download certificate revocation lists from their distribution points without detailed knowledge about distribution point structuring and LDAP URL handling. 
References 
Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile: http://www.ietf.org/rfc/rfc3280.txt 
The LDAP URL format: http://www.ietf.org/rfc/rfc2255.txt 
Java Naming And Directory Interface (JNDI): http://java.sun.com/products/jndi/ 
IAIK-JCE Toolkit: http://jce.iaik.tugraz.at/products/core_crypto_toolkits/jca_jce