Making Sure a Certificate Hasn't Been Revoked
Using the URL Retrieval Tool, you can find out whether a certificate's CRL Distribution Points (CDPs) and the Certificate Revocation Lists (CRLs) at those CDPs are valid.
April 24, 2014
Q: How can I make sure a certificate hasn't been revoked? I would also like to know whether the certificate's CRL Distribution Points (CDPs) and the Certificate Revocation Lists (CRLs) at those CDPs are valid.
A: The easiest way to verify certificate revocation information, CDPs, and CRLs is to use the URL Retrieval Tool, which is invoked using the Certutil.exe command-line tool. Certutil.exe is included in Windows OSs and can be used for different certificate management tasks. Here's how to use it:
Put a copy of the certificate you want to check in the file system—specifically, in the root of your user profile folder. (This is the folder that shows up when you open a command prompt.)
Run the following command to open the URL Retrieval Tool:
certutil -URL
In this command, you must replace with the name of the certificate you want to check (in this example, jan.cer). Note that you don't necessarily need an elevated command prompt to run this command.
In the URL Retrieval Tool, which Figure 1 shows, select the CRLs (from CDP) option and click the Retrieve button.
Figure 1: Launching the URL Retrieval Tool
If the certificate is revoked, you'll get a Revoked status message. If the certificate is valid, you'll get a Verified status message. If the test failed, the Status column will specify Failed.
About the Author(s)
You May Also Like