How to Examine any Certificate Revocation List in Windows with Certutil

Home > Blogs > Windows 7 > How to Examine any Certificate Revocation List in Windows with Certutil

How to Examine any Certificate Revocation List in Windows with Certutil

Like This Blog 6 Mike Danseglio
Added by August 6, 2013

Lots of different systems and platforms use certificates and Public Key Infrastructure (PKI). Many companies have decided to implement an internal Certification Authority to issue certificates to computers, users, and other Certification Authorities.

As you probably already know, when a certificate is considered untrustworthy it is listed in the issuing CA’s Certificate Revocation List (CRL). This is just a small file located somewhere accessible by URL, and is frequently hosted on Internet-facing web servers. This file is not in plaintext, so just dropping it into Notepad isn’t going to do you much good. But you may well need to examine a CRL to ensure a specific certificate is listed, to get an idea of the trustworthiness of a PKI provider, etc.

Here’s how to display the contents of a Certificate Revocation List in Windows.

Special Note: this technique works with Certificate Revocation Lists from any PKI issuer like VeriSign, GTE, GoDaddy, DigiCert, etc. It can come from a Linux PKI server, a Windows Certification Authority, or a hand-built system. Every CRL uses a standard format that this technique supports.

Steps to displaying a Certificate Revocation List

The steps to back up a Windows Certificate Server running on any version of Windows since Windows Server 2003 are the same. This includes Windows XP, Windows 7, Windows 8, as well as Windows Server 2008 and R2 and Windows Server 2012 and R2. They are:

Obtain the Certificate Revocation List from the CRL Distribution Point (CDP)

This is easier than you think. Open up almost any certificate issued from a CA and look for the CDP field. For example, here’s a VeriSign certificate that chains to a common VeriSign Enhanced Validation root. I’m displaying this by clicking the padlock in Google Chrome, but any browser will do.

001-Certificate-Revocation-List-in-Windows-with-Certutil

On the Details tab, the CRL Distribution Point field should always contain at least one URL that I can access from anywhere I’m expected to trust the certificate.

002-CRL-Distribution-Point-Certificate-Revocation-List-in-Windows-with-Certutil

So the CDP is on a public web server. I pop that URL into my browser and choose Save Attachment to put the CRL on my local computer.

003-SVRSecureG3-Certificate-Revocation-List-in-Windows-with-Certutil

Notice the cool icon! I’m sure the little red X is for naughty untrustworthy certificates.

Decode the Certificate Revocation List With Certutil

Now I open a Command Prompt, change to the directory that contains the CRL, and use the Certutil –dump command. In this case, I type Certutil –dump SVRSecureG3.crl and see the following results:

004-Certutil–dump-SVRSecureG3-crl-Certificate-Revocation-List-in-Windows-with-Certutil

Boom goes the dynamite! I see the serial number of each revoked certificate and the date of revocation along with appropriate crypto information including the issuer, date of issuance, and CRL signature. That’s pretty much all the information that’s in a CRL.

If you want more Windows PKI articles please be sure to drop me a comment.

Take care!
Mike Danseglio -CISSP / CEH
Interface Technical Training – Technical Director and Instructor

Videos You May Like

Agile Methodology in Project Management

0 154 0

In this video, you will gain an understanding of Agile and Scrum Master Certification terminologies and concepts to help you make better decisions in your Project Management capabilities. Whether you’re a developer looking to obtain an Agile or Scrum Master Certification, or you’re a Project Manager/Product Owner who is attempting to get your product or … Continue reading Agile Methodology in Project Management

Creating Users and Managing Passwords in Microsoft Office 365

0 642 3

In this Office 365 training video, instructor Spike Xavier demonstrates how to create users and manage passwords in Office 365.   For instructor-led Office 365 training classes, see our course schedulle: Spike Xavier SharePoint Instructor – Interface Technical Training Phoenix, AZ 20347: Enabling and Managing Office 365    

Detailed Forensic Investigation of Malware Infections – April 21, 2015

4 608 5

How does an investigator hunt down and identify unknown malware? In this recording of our IT Security training webinar on April 21, 2015, Security expert Mike Danseglio (CISSP / CEH) performed several malware investigations on infected computers and identify symptoms, find root cause, and follow the leads to determine what’s happening. He demonstrated his preferred … Continue reading Detailed Forensic Investigation of Malware Infections – April 21, 2015

Write a Comment

See what people are saying...

  1. Avatar Rosalind Westbook

    I have done everything you said but I can’t find the CRL what do I do please

  2. Avatar Rosalind Westbook

    Im so confused as my computer is doing exactly what you are saying I know when it started to happen I reset the clock but now I have done everything you said to do but I don’t have a CRL what do I do

  3. Avatar Tina Snyder

    Thank you so much, this helped me troubleshoot an issue I was experiencing!

  4. Avatar Jon

    In reply to those who want to search for a specific serial within the CRL. It’s probably easiest to write the output to a .txt file and then use the search function:

    certutil -dump CRLNameHere.crl > crl.txt

  5. Avatar Armine Abelyan

    Yes, is there any help to let us know how to check via certutil command options the exact serial number of revoked certificate

  6. Avatar Kristian

    Hi, this is a nice article and I just used the -dump function of certutil. As a result I get about 100 entries of revoked certificates and one serial number of a certificate which has to be checked if it’s in the revoke list…. how can I search for a single number or check if it’s in the bunch of revoked certificates?

    Kind regards
    Kristian

Share your thoughts...

Please fill out the comment form below to post a reply.