Chapter 7. Working with Certificate Revocation Lists
IN THIS CHAPTER
Verifying Certificates Against a CA
Building and Maintaining a Certificate Revocation List
Managing a Certificate Revocation List
When you receive a certificate from someone or retrieve it from a directory, you can verify its signature by using the Certificate Authority's certificate, and you can verify that the certificate hasn't expired, but how do you verify that the certificate hasn't been revoked? The only thing you can do is go to the CA and check against its list of revoked certificates.
You can go about this task in a couple of ways. The first is to use another COM object that is available for use with Certificate Authorities running Microsoft's Certificate Server. This way, you can check a single certificate to make sure that it is still valid. The second way is to download the Certificate Revocation List (CRL) from the CA, store it in your certificate store, and verify the certificate against the CRL. You will examine this procedure in this chapter.
Prerequisites
Before reading this chapter, you need to make sure that you have a good understanding of the following:
Asymmetric encryption and digital certificates, as covered in Chapter 1, "Understanding Encryption and Application Security"
Selecting and opening Cryptographic Service Providers (CSP), as covered in Chapter 2, "Getting Started with the CryptoAPI"
Hashing data, generating encryption keys, and encrypting and decrypting data, as covered in Chapter 3, "Symmetric and Password Encryption"
Using public/private encryption keys, as covered in Chapter 4, "Public/Private Key Communications"
Requesting and retrieving digital certificates, as covered in Chapter 5, "Requesting and Retrieving Certificates"
Managing digital certificates in a certificate store, as covered in Chapter 6, "Working with Certificates"