When does a windows client notice that certificate is revoked?
Solution 1:
Windows clients extensively use revocation checking (for both, CRL and OCSP). Once CRL for specified issuer or OCSP for specified certificate is retrieved, it is cached and no new queries are sent until cached information is expired.
For CRLs, they are cached up to NextUpdate
value in CRL. For OCSP responses it is similar, up to nextUpdate
value in SingleResponse
structure which is often set to NextUpdate
field of referenced CRL.
Windows client on CRL includes some advanced features, like polling. Periodically, Windows client polls CDP URL to check if new revocation information is available (through E-Tag) and prefetch it if newer information is available.
Certificate revocation is not and never was an immediate action, it takes some reasonable time to get updated on clients.