subject: How The Revocation Process Works [print this page] After you design the renewal process, you must design the revocation process. There are two parts to this process: when and how certificates should be revoked and how applications learn that certificates have been revoked. Because a certificate is usually revoked to prevent it from being used, the process of how applications learn that a certificate is no good (has been revoked) is critical. But before you can design the revocation process, you must understand how the process works. The revocation process looks like this:
1. The decision is made to revoke a certificate.
2. The CA administrator revokes the certificate by right-clicking the certificate in the
CA console, choosing Revoke, and selecting a reason for revocation.
3. The revoked certificate is placed in the Revoked container of the CA database, and
its information is added to the CRL.
4. The CA administrator can manually publish the CRL, or it will automatically be
published at the specified CRL publication period.
5. When a certificate is presented for use and the application to which it is presented
requires certificate revocation checking, the computer will check for a cached copy
of the appropriate CRL, the one issued by the CA that has signed the certificate.
Q If a cached copy of the appropriate CRL is present and has not been expired, the list is checked. If the certificate is not on the list, this part of the revocation check is passed.
MCSE Exam Tip If a cached CRL is available and it has not expired, a new CRL will not be downloaded. If the certificate has recently been revoked, even though the administrator manually published a new CRL, this information will not be available to the computer until the current, cached CRL expires. Therefore, it is possible that a revoked certificate will be validated.
Q If a cached copy of the appropriate CRL is not present, the computer checks the certificate for the location of a downloadable CRL, downloads the CRL, and checks it.
6. The process is repeated for other certificates in the certificate chain.
7. Depending on how the application is written and configured, whether or not the
certificate or any of its chained certificates are on any retrieved list, and whether
a list can be retrieved, the certificate might or might not be validated.
70-270 Exam Tip CRL checking is not always carried out. Even when it is, a perfect result is not always required for the certificate to be validated.
