Internet Explorer and revocation check failure

Internet Explorer normally warns you if the server you visit have any certificate issues.

Some examples:

The certificate has another Subject than the URL you used to access it:

The certificate was issued by a CA that your computer do not trust:image

The certificate is not time valid (not yet valid yet or, more common, has expired):

Another warning is when the certificate has been revoked by the issuing CA:

That last behaviour can be set by the following setting, although I do not recommend disabling it:

If there are multiple issues, all of them are listed:

One thing that IE does not warn you about however is when the CRL is unavailable. Note that this doesn’t mean that that the certificate is revoked, only that you do not know if it is.

This means that someone could trick you into trusting a revoked certificate by preventing your access to the CRL (by tricking the client to look in the wrong place or by some sort of Denial Of Service). Faking the CRL is not feasable, since it is signed with the issuing CAs private key.

This warning actually did exist in earlier versions of Internet Explorer but was removed in version 7. Since the inability to reach the CRL does not necessarily mean that the certificate has been revoked, many users complained that these notifications mostly were “false positives” so it was removed from the UI.

If you want to, you can use the FEATURE_WARN_ON_SEC_CERT_REV_FAILED setting to reenable this warning again in IE 7 and higher.

To enable this feature using the registry, add the name of the Internet Explorer executable file to the following setting (you might also need to create the key named FEATURE_WARN_ON_SEC_CERT_REV_FAILED):

Internet Explorer
iexplore.exe = (DWORD) 00000001

The feature is enabled when the value is set to (DWORD) 00000001 and disabled when the value is (DWORD) 00000000. If you run a 64-bit system you need to make the change here: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WARN_ON_SEC_CERT_REV_FAILED

The warning does not show a separate page as the other warnings do, instead the warning is visible in the the URL bar.

This is how it looks without the warning:

and here the warning is enabled:

Clicking the warning gives this information:

To simulate this CRL problems for I added the DNS name of the CRL Distribution Point to the hosts file. I also added the OCSP path in the Authority Information Access:

I found these names here in the certificate:


That’s it, please comment below if you have any questions and/or opinions!

About Tom Aafloen

IT Security Advisor @ Onevinn
This entry was posted in CA, Certificates, CRL, PKI. Bookmark the permalink.

1 Response to Internet Explorer and revocation check failure

  1. Pingback: Can disabling Delta CRL on a CA cause problems? | Microsoft Security Solutions

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s