certutil 如何确定证书已被撤销

tag-icon tag-icon x509 crl certutil revoked
certutil 如何确定证书已被撤销

我正在测试是否可以正确确定 x509 证书已被撤销。我正在从https://revoked.badssl.com并通过 certutil 进行验证。当我的系统在线时,它似乎会提取 CRL 并确定它已被撤销。我看到 中的一个条目cerutil -urlcache

以下是在线时 certutil -verify [revoked_cert.cer] 的输出:

ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)

....
Full chain:
  Chain: f3abff8a2fe49d17c13f351a4bfc8d10d86d5f59
  Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
  NotBefore: 9/1/2016 7:00 PM
  NotAfter: 9/11/2019 7:00 AM
  Subject: CN=revoked.badssl.com, O=Lucas Garron, L=Walnut Creek, S=California, C=US
  Serial: 01af1efbdd5eae0952320b24fe6b5568
  SubjectAltName: DNS Name=revoked.badssl.com
  Cert: 3e8ab453b8cf62f0bd0240739aab815a170b08f0
The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)
------------------------------------
Certificate is REVOKED
Cert is an End Entity certificate
Leaf certificate is REVOKED (Reason=0)

如果我通过 清除缓存certutil -urlcache * delete,使系统脱机,certutil 仍会显示证书已被撤销。以下是脱机时的输出:

ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)

...
Exclude leaf cert:
  Chain: da39a3ee5e6b4b0d3255bfef95601890afd80709
Full chain:
  Chain: 3e8ab453b8cf62f0bd0240739aab815a170b08f0
Missing Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
  Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
  NotBefore: 9/1/2016 7:00 PM
  NotAfter: 9/11/2019 7:00 AM
  Subject: CN=revoked.badssl.com, O=Lucas Garron, L=Walnut Creek, S=California, C=US
  Serial: 01af1efbdd5eae0952320b24fe6b5568
  SubjectAltName: DNS Name=revoked.badssl.com
  Cert: 3e8ab453b8cf62f0bd0240739aab815a170b08f0
A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)
------------------------------------
Incomplete certificate chain
Cannot find certificate:
    CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
Cert is an End Entity certificate
Leaf certificate is REVOKED (Reason=0)
CertUtil: -verify command completed successfully.

因此,虽然在我离线时它无法获取根 CA,但它仍然以某种方式知道该证书已被撤销。

如果 CRL 缓存已被清除,Windows 怎么会认为这是真的呢?它从哪里获得这些信息?

相关内容