Windows Dev Center

Revoking a Certificate

[The AD RMS SDK leveraging functionality exposed by the client in Msdrm.dll is available for use in Windows Server 2008, Windows Vista, Windows Server 2008 R2, Windows 7, Windows Server 2012, and Windows 8. It may be altered or unavailable in subsequent versions. Instead, use Active Directory Rights Management Services SDK 2.1, which leverages functionality exposed by the client in Msipc.dll.]

If a principal in an Active Directory Rights Management Services (AD RMS) system is compromised, you can use revocation to invalidate all associated licenses and certificates. Call the DRMSetRevocationPoint function to specify that the principal must obtain a revocation list at a scheduled interval. This function specifies a URL where the revocation list is posted and a refresh frequency that specifies how often the list must be updated. The URL is known as the revocation point. The revocation list contains all group identities, end-user licenses, or other principals that have been revoked and cannot therefore publish or consume content. The following table discusses the rules for revoking various types of licenses and certificates.

License/CertificateRevocation criteria
Server licensor certificateRevoke by license ID, license hash, issuer ID, and issuer key
End-user licensesRevoke by principal ID, principal key, license ID, license hash, issuer ID, issuer key, or content ID.
Client licensor certificatesRevoke by principal ID, license ID, license hash, issuer ID, issuer key, or content ID.
Rights account certificatesRevoke by principal ID, principal key, federated principal ID, federated principal key, license ID, license hash, issuer ID, or issuer key.
Machine certificatesRevoke by principal ID, principal key, license ID, license hash, issuer ID, or issuer key.
ManifestsRevoke by license ID, license hash, issuer ID, or issuer key.

 

Every issued AD RMS certificate and license consists of a certificate chain that leads back to a Microsoft root of trust, and each item in the chain can require a separate revocation list and identify a unique revocation point. The final license in the chain, therefore, could require multiple lists. For more information, see the following topics:

Related topics

Using the AD RMS SDK

 

 

Show:
© 2015 Microsoft