When a certificate is considered untrustworthy it is listed in the issuing CA’s Certificate Revocation List (CRL). This is just a small file located somewhere accessible by URL, and is frequently hosted on Internet-facing web servers. This file is not in plaintext, so just dropping it into Notepad isn’t going to do you much good.
Step 1. Obtain the Certificate Serial Number (SN)
For example, here’s a GoDaddy certificate
Open "Details" tab, look for "Serial Number" field and copy it to notepad.
Step 2. Obtain the Certificate Revocation List from the CRL Distribution Point (CDP)
Open up almost any certificate issued from a CA and look for the CDP field.
Copy URL http://crl.godaddy.com/gdig2s1-119.crl into browser and choose Save Attachment to put the CRL file "gdig2s1-119.crl" on my local computer.
Step 3. Decode the Certificate Revocation List With Certutil
Now open a Command Prompt, change to the folder directory that contains downloaded CRL file, and use the certutil –dump command.
In this case, I typed:
certutil –dump gdig2s1-119.crl > crldump.txtStep 4. Open result file "crldump.txt" and search for SN you noted in Step 1.
You may have situation like I had when you have to remove "00" from SN
You will see the serial number of each recently revoked certificate and the date/time of revocation along with appropriate crypto information including the issuer, date of issuance, and CRL signature. That’s pretty much all the information that’s in a CRL.
No comments:
Post a Comment