I have a web service running under IIS 7 that requires an X509 client certificate. I know that the server that it rus on needs access to DigiCert.com in order to be able to get the CRL (Certificate Revocation List).
There is a need to change our proxy so I am attempting to investigate the impact of doing so. I have removed the global proxy settings using the command netsh winhttp proxy refesh, and also deleted the CRL cache using the command certutil -URLcache CRL delete.
However, after doing this, all calls to the web service still succeed. This suggests to me that I am missing something here.
So; If the CRL cache is cleared and the server has no way of refreshing the CRL, why do web service requets not return http 403?.
I have been unable to find adequate information from googling nor from my colleagues.
The reason I want it to fail is that I will not be confident that the new proxy settings work until I can see it broken first, if that makes sense.
I would also like to be able to force the CRL to be refeshed in order to ensure that the new proxy settings work
Best Answer
I might be mistaken, but if the server has no way to check the CRL, there is no way to "revoke" the certificate. So hence it would continue to work. The CRL isn't an "allow" list, but rather a "deny" list.