Dajbych.net


More frequent change of the list of invalid certificates

, a minute to read

ie9 logo

Certification authorities issue a list of compromised certificates. It was distributed to Windows once in a while via Windows Update. System Update (KB2677070) modifies Windows Update so that it downloads this list much more often. Information about the revoked certificate will reach the end station within one day. However, because the Windows Update contact URL is changing, it is necessary to make sure that the firewall does not block this functionality.

Internet Explorer has been supporting OCSP since version 7 for Windows Vista, which queries whether an X.509 certificate used during SSL or TLS connection is still valid. IIS also supports this protocol. However, the .NET Framework does not perform this check when establishing a secure connection. Therefore, .NET applications had a relatively outdated CRL (Invalid Certificate List).

Windows solves this issue centrally through more frequent Windows Update polling for changes in the CRL. In order for everything to work as it should, you need to make sure that your firewall requests for the following URLs pass:

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

The article was written for TechNet Blog CZ/SK.