Under Windows, when the certificate revocation list becomes outdated when checking electronic signatures in "CryptoARM 5" there may be a warning that the CRL is not up to date, so I came up with a solution.

Introduction

CRL- lists of early revoked certificates of electronic digital signatures are maintained by certification centers.
CRL stands for Certificate Revocation List. A certificate revocation list is a required part of the PKI (trusted key encryption) infrastructure because... there could be an early replacement of the electronic signature key due to its breakdown or compromise (for example, loss), or the death of the owner. Revocation of the certificate will not allow attackers to use the digital signature.

The CRL needs to be updated fairly frequently - I set the scheduler to run the update every morning. Because only with an up-to-date CRL list is protection against stolen or lost or blocked foreign keys effective.

CRLs:

• registry reestr-pki.ru
• "Rostelecom" rostelecom.ru and company.rt.ru

The task is to download the file from one of these sites and import it into the certificate group "Recalled".

Managing certificates using the graphical interface (mmc.exe - “Certificates” snap-in) is not convenient, because requires user participation. The BAT file is run by the task scheduler in the morning.

What you need to run the BAT file:

1) The batch file can work on operating systems:
Windows 7 SP1
Windows 10 version 1507 or higher
*Windows 11

• Windows Server 2022, Windows Server 2019, Windows Server 2016, and Windows Server 2012 R2.

2) installed free utility Gnu Wget for Windows- version wget-1.11.4-1-setup.exe or another. Gnu Wget can be downloaded from SourceForge -Gnu Wget for Windows
3) command line program CertMgr.exe from the package Windows SDK. For ease of launch, I copied the CertMgr.exe utility to the folder where the *.BAT batch file is located.

Preparation

I created a folder on my hard drive C:\CRL(the name can be anything, you need to correct the text of the BAT file) in which you placed a text command file and next to it placed the CertMgr.exe program from the Windows SDK package.

Next to the BAT file there are three lists with URLs for certificate revocation lists - list1.txt, list2.txt and list3.txt

Contents of the text BAT command file for updating the CRL

@echo off

for /f %%G in (list1.txt) DO call :s_subroutine %%G

goto :EOF

:s_subroutine
echo Start: %1
"C:\Program Files (x86)\Wget\bin\wget.exe" %1 --output-document c:\crl\temp.crl
c:\crl\CertMgr.exe /add c:\crl\temp.crl /s CA
echo Finish!
echo:
echo:
del c:\crl\temp.crl
goto :EOF

The for loop specifies an input file with a list of certificates: list1.txt)
I have three versions of the file - list1.txt, list2.txt and list3.txt

Files with lists of URLs of revoked CRL certificates

Contents list1.txt:

http://reestr-pki.ru/cdp/guc.crl
http://reestr-pki.ru/cdp/guc_gost12.crl
http://reestr-pki.ru/cdp/vguc1_3.crl
http://reestr-pki.ru/cdp/vguc1_4.crl
http://reestr-pki.ru/cdp/vguc1_5.crl

Contents list2.txt:

http://rostelecom.ru/cdp/guc.crl
http://rostelecom.ru/cdp/guc_gost12.crl
http://rostelecom.ru/cdp/vguc1_3.crl
http://rostelecom.ru/cdp/vguc1_4.crl
http://rostelecom.ru/cdp/vguc1_5.crl

Contents list3.txt:

http://company.rt.ru/cdp/guc.crl
http://company.rt.ru/cdp/guc_gost12.crl
http://company.rt.ru/cdp/vguc1_3.crl
http://company.rt.ru/cdp/vguc1_4.crl
http://company.rt.ru/cdp/vguc1_5.crl

Where can I get CertMgr.exe?

Certificate Manager is installed with the package SDK for Windows 10.

The executable file is located in Windows 10 along the path
%ProgramFiles(x86)%\Windows Kits\10\bin\10.0.version_SDK.0\arm64\certmgr.exe.

SDK download pages:

1. 1.Windows SDK download page
2. 2.Windows SDK (10.0.22621) for Windows 11, version 22H2

CertMgr Documentation

*Certmgr.exe (Certificate Manager Tool)

Related publications

Use Ramdisk to accelerate 1C

Updating root certificates on a PC in Windows OS

Disable news feed in Windows 10

Lightweight Internet Browsers

Internet browsers for Windows XP