Wednesday, September 23, 2015

How to display the contents of a Certificate Revocation List in Windows

Recently I've worked with the customer on migration his On Premise Exchange 2003 to Exchange Online in staged migration scenario. RPC over HTTPS (Outlook Anywhere) is prerequisite for such kind of migration. In the middle of migration process I've suddenly started to get messages that SSL certificate has been revoked (easy check in browser to goto: https://rpcproxyserverfqdn/rpc). Customer stated he didn't make any changes to certificate and so I have to dig around.
When a certificate is considered untrustworthy it is listed in the issuing CA’s Certificate Revocation List (CRL). This is just a small file located somewhere accessible by URL, and is frequently hosted on Internet-facing web servers. This file is not in plaintext, so just dropping it into Notepad isn’t going to do you much good.
Step 1. Obtain the Certificate Serial Number (SN)
For example, here’s a GoDaddy certificate
Open "Details" tab, look for "Serial Number" field and copy it to notepad.

Step 2. Obtain the Certificate Revocation List from the CRL Distribution Point (CDP)
Open up almost any certificate issued from a CA and look for the CDP field. 

On the Details tab, the CRL Distribution Point field should always contain at least one URL that we can access from anywhere we are expected to trust the certificate.
So the CDP is on a public http server.
Copy URL 
into browser and choose Save Attachment to put the CRL file "gdig2s1-119.crl" on my local computer.
Step 3. Decode the Certificate Revocation List With Certutil

Now open a Command Prompt, change to the folder directory that contains downloaded CRL file, and use the certutil –dump command. 

In this case, I typed:
certutil –dump gdig2s1-119.crl > crldump.txt
 Step 4. Open result file "crldump.txt" and search for SN you noted in Step 1.
You may have situation like I had when you have to remove "00" from SN
You will see the serial number of each recently revoked certificate and the date/time of revocation along with appropriate crypto information including the issuer, date of issuance, and CRL signature. That’s pretty much all the information that’s in a CRL.