User can logon after certificate is revoked



The problem I am running into is this:

We have set the user to require a smart card for logon. We
issue a smart card. and later we revoke the certificate.
The user can still logon with the revoked certificate on
the smartcard.

Development Environment:
Windows 2000 Domain, latest service packs and updates
2 x DC's
1 Enterprise CA
1 Ensterprise Sub-CA
5 workstations XP\2000Pro

CRL publishing is set for 1 hour.

What happens is that the user, even after the new CRL is
published, can still logon using the smartacrd with a
revoked certificate.

We have even downloaded and manually installed the CRL on
each server\workstation.

Any help is greatly appreciated.

Vishal Agarwal[MSFT]

How long is the CRL valid for?
If the DC's have the old CRL cached, they will use that until the old CRL

Jan 4, 2011
Reaction score
Revocation Verification during SC logon

Bonjour All,

We have set up a 3rd party CA at our end and successfully performed the Smart card logon from hierarchical/sub CA. But When i revoke a certificate and publish the CRL the client can still do SC logon. I tried to check the status of my certificate via 2 commands :

1) certutil -urlfetch -verify certificate_name.cer

This command shows that certificate is revoked.

2) certutil -url certificate_name.cer

From CDP verification i get "Verified"

But from AIA verification i get "Revoked"

I have tried the command on both Windows Server 2003 & 2008

Kindly help where is the issue ?

Best Regards

Scott Thomas

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question