Check for Revoked Certificates

Check for Revoked Certificates

A certificate authority (CA) issues digital certificates based on the X.509 standard. These certificates are used to apply signatures and to do recipient-based encryption.

Periodically, CAs publish lists of certificates that have been revoked for one reason or another. For example, an employer might request revocation of a certificate for an employee who has left the company. Or revocation might be requested for a certificate that has been lost or stolen with its private key.

A revoked certificate is considered invalid, but invalid certificates can still be used.

A CA's list of revoked certificates is called a certificate revocation list (CRL). It consists of a file that contains serial numbers of certificates that have been revoked and the dates. The CRL is signed by the issuing CA.

Smartcrypt can check to see if a certificate that you have received to validate a ZIP archive, or propose to use for digital signing, encryption, or authentication appears in a CRL accessible to Smartcrypt. If it does, Smartcrypt displays a warning in the Log.

Note: CAs periodically update CRLs. The fact that you can check a CRL and not receive a warning only guarantees that the certificate you checked for is not on that CRL. The certificate could still have been revoked after your list was published.

To have Smartcrypt refuse to use a revoked (or otherwise invalid) certificate, turn on strict checking (in Security options on the ZIP page). Otherwise, Smartcrypt merely warns if a certificate is revoked and uses it anyway.

Obtaining a CRL

Certificate authorities commonly make CRLs available for downloading on their Web sites. A CA is apt to provide different CRLs for different series or types of certificates. You must find the CRL for the type of certificate that you want to use it for.

For Smartcrypt to access a CRL, the CRL must be downloaded and imported into a certificate store that Smartcrypt checks for certificates. Such a downloaded and imported CRL is called a static CRL to distinguish it from a dynamic CRL that may be published on the Web. Smartcrypt does not access CRLs published on the Web.

In Windows, you can import a CRL by double-clicking the downloaded file.

Checking for expired certificates online

When you check the Perform online revocation checks box on the Security General Options page, Smartcrypt uses the Online Certificate Status Protocol (OCSP) to attempt to discover whether the certificate you are using has been revoked. This protocol will search known certificate revocation lists on the Internet.

Be aware that:

  • As the OCSP is a relatively new protocol, only certificates issued recently will match the search criteria.

  • Online certificates searches can take some time. Your network may time out before you receive results.