Automatically removing expired certificates from the CRL

By default, AD CS will automatically remove expired certificates from the CRLs it publishes. Once a certificate expires, whether it was revoked in the past or not is generally not relevant, since the certificate is not time valid anymore it should be rejected.

This default behaviour can be modified via one of the CRL flags in the CA configuration, called CRLF_PUBLISH_EXPIRED_CERT_CRLS. By default the flag is not set, meaning expired  revoked certificates will be removed from the CRL, but it can be set running:

certutil -setreg CA\CRLFlags +CRLF_PUBLISH_EXPIRED_CERT_CRLS

Once set, expired revoked certificates will remain in the subsequent CRLs even after expiring. To unset the flag simply run:

certutil -setreg CA\CRLFlags -CRLF_PUBLISH_EXPIRED_CERT_CRLS

There are some cases, though, where it is required to keep certain revoked certificates in the CRL even after those have expired. Classic example for this is code signing certificates: when code is signed using a code signing certificate, it usually includes a signed timestamp as well, the idea being that parties verifying the signature can check when the signature was generated. If the code signing certificate was valid at the point in time where the code was signed, the signature remains valid even after the code signing certificate expires.

Therefore, if a code signing certificate has been revoked, that is relevant information for relying parties even after the certificate has expired. Using the timestamp in the signature, a relying party can determine whether the signature was generated before or after the certificate was revoked, and thus decide whether the signature is trustworthy or not. In order to enable this it is essential to ensure that revocation information for code signing certificates is available and accurate even after they expire.

AD CS provides another configuration setting to enables this, in the form of a list of EKU OIDs that, when present in a certificate, will prevent it from being removed from a CRL upon expiration,

The configuration setting is called EKUOIDsForPublishExpiredCertInCRL, and it defaults to a list containing 2 EKUs. To check its value via certutil:

certutil -getreg CA\EKUOIDsForPublishExpiredCertInCRL


So by default, certificates with Code Signing (1.3.6.1.5.5.7.3.3) or Kernel Mode Code Signing (1.3.6.1.4.1.311.61.1.1) EKUs will not be removed from the CRL if they are revoked, even after they expire.

The list of OIDs can be modified via certutil, adding EKUs to the list:

certutil -setreg CA\EKUOIDsForPublishExpiredCertInCRL +[OID]

or removing them from the list:

certutil -setreg CA\EKUOIDsForPublishExpiredCertInCRL -[OID]

As usual, configuration changes such as the ones mentioned above require AD CS to be restarted to take effect.


Comments

Popular posts from this blog

Decoding OCSP GET requests

Signing a CSR with an Enrollment Agent certificate

Compacting an AD CS database