Under such circumstances, the CA needs to revoke the certificate.There are several mechanisms to represent revocation information; RFC 2459 defines one such method.By matching the information in a certificate's AKI extension to a CA certificate's Subject Key Identifier (SKI) extension a certificate chain can be built. A certificate extension that indicates where the certificate revocation list for a CA can be retrieved.This extension can contain multiple HTTP, FTP, File or LDAP URLs for the retrieval of the CRL. A method of restricting certificates chaining to a designated CA for limited time periods or usages. In a Windows Server 2003 network, qualified subordination is the preferred method for restricting certificate usage between organizations. A digitally signed list issued by a Certification Authority (CA) that contains a list of certificates issued by the CA that have been revoked.Abstract Microsoft Windows 2000 and Microsoft Windows XP offer significant features in the areas of X.509 support, PKI as well as certificate status checking and revocation.This White paper details the basics of certificate status, chain building, and how they work in Windows operating systems to assist administrators in troubleshooting a PKI implementation.This method involves each CA periodically issuing a signed data structure called a certificate revocation list (CRL).
When a certificate aware system uses a certificate (for example, for verifying a remote user's digital signature), that system should not only check the certificate signature and time validity, but it should also acquire a suitably recent certificate status to ensure the certificate being presented is not revoked.Typically, the OCSP responder uses CRLs for retrieving certificate status information. A PKI provides an organization with the ability to securely exchange data over a public network using public key cryptography.A PKI consists of Certification Authorities (CA) that issue digital certificates, directories that store the certificates (including Active Directory in Windows 2000 and Windows Server 2003), and X.509 certificates that are issued to security entities on the network.Without checking certificates for revocation, the possibility exists that a security principal will accept credentials that have been revoked by a CA administrator.Certificates are issued with a planned lifetime and explicit expiration date.In the case of CRLs, Microsoft defines as suitably recent a CRL that is not past the next update time of the CRL.A CA issues a new CRL on either a configured regular periodic basis (for example, hourly, daily, or weekly) or on an event basis; for example, if an important certificate is deemed compromised, the CA may issue a new CRL to expedite notification of that fact.A certificate may be issued for one minute, thirty years or even more.Once issued, a certificate becomes valid once its validity time has been reached, and it is considered valid until its expiration date.However, various circumstances may cause a certificate to become invalid prior to the expiration of the validity period.Such circumstances include change of name, change of association between subject and CA (for example, when an employee terminates employment with an organization), and compromise or suspected compromise of the corresponding private key.