Revoked certificate shows as valid in the certificate viewer

Tuan Tran 1 Reputation point
2022-06-09T01:27:40.653+00:00

Hi Microsoft Team,

We have a certificate revoked by CA but when I open the certificate in windows, the certificate viewer still show: "This certificate is OK."
I have used openssl and other tools to check revocation status, result is Certificate has revoked!
Can you help me why the certificate viewer still show: "This certificate is OK."?
When the certificate viewer check revocation status?
I have found a article, in the article has a certificate has revoked and the certificate viewer is showing: "This certificate was revoked by its certification authority" https://github.com/bitcoin/bitcoin/issues/21725
209653-revoked-certificate.png

Windows 10 Compatibility
Windows 10 Compatibility
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Compatibility: The extent to which hardware or software adheres to an accepted standard.
464 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,820 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,496 Reputation points
    2022-06-10T07:38:27.927+00:00

    Hi there,

    This is a normal behavior.

    Double click certificates and check in Certificate Path tab, this process just check the AIA path to get the CA certificates until the certification path terminates at a trusted, self-signed certificate. this process does not check the revocation information of the certificate and thus will not show if the certificate is revoked under “Certificate Status”.

    More Information, please refer to the article as below:
    http://technet.microsoft.com/en-us/library/cc753833.aspx

    We need to use certutil -verify -urlfetch <Cert_name.cer> to check the real status. And according to the Certutil output we can find the cert has been revoked.

    ---------------------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

    4 people found this answer helpful.
    0 comments
  2. Aromah Siddiqui 0 Reputation points
    2023-11-15T14:42:25.19+00:00

    Hi, I did encounter the same issue, the certificate was revoked by the CA and even the certutil commands shows the status as revoked, however when I checked the site consuming this cert it showed no error. Can anyone suggest what is the actual reason for this issue? Thanks

    0 comments
  3. Pourya Sadri 0 Reputation points
    2024-06-21T13:22:18.7033333+00:00

    @Tuan Tran

    @Aromah Siddiqui

    Microsoft Management Console (MMC) is not equipped with any tools to download CRLs from CDP or to ask OCSP about the final status of a certificate.

    MMC mostly checks the "expiration date" of a certificate or whether the location of the certificate is in "Trusted Root CAs".

    There are some scripts that Microsoft uses to check the validity of the certificates. Those scripts work while:

    1. auto-enrollment is enabled on the client machines by GPO and
    2. when the auto-enrollment permission is assigned to the users or the computers on the related certificate template

    I would suggest you take advantage of auto-enrollment features for automatic management of certificates.

    Also, this is to note that auto-enrollment works only if the CA is configured properly.

    Hope this is going to be helpful.