How to configure a CRL and OCSP ? and How could It be used for example with Adobe Reader for check certificate status?

[bsjaramillo]

When I create a CA, in the section "validation data" for Default CRL distribution point, I do click in Generate button to generate that url and I do the same for OCSP service default uri. Now, if I put the URL of CRL distribution point in browser, I can download the CRL and watch what certificates have been revoked.

Then, if I sign a document with a valid certificate using Adobe Reader, after, I revoked that certificate (also I update the CRL manually) and after a time, I check the certificate used in the signed document in Adobe Reader but there is not info about if that certificate was revoked.

[primetomas]

Did you also configure to include the URLs in your issued signing certificates? The CDP and AIA must be embedded in certificates for "automatic" validation to work.

When it comes to adobe signing it can be very special. Signing PDFs have the ability to embed CRLs or/and OCSP responses into the signed PDF, which is then used to validate revocation without contacting the validation server.
You can find some information on this for example over at SignServer, in the documentation.

[bsjaramillo]

Yes, in the certificate profile that I use to emit digital certificates I include CRL Distributions Points and Authority Information Access.
I attach a screenshot of that section.

[bsjaramillo]

Ok, I did It, I was able to configure CRL and OCSP to validate certificates in adobe, It was some configuration in adobe too, but now, I have another question about It.

1. When I do click in the signature for view certificate, It request that It needs a secure conection from server
   

2. If I do click to see wath certificate is requesting, It shows default ManagmentCA, Why dont request for CA that I created ?
   

[primetomas]

That's the certificate of the web server right? Not the PDF signing certificate?

[bsjaramillo]

Yes

[primetomas]

I don't know why this is. Perhaps you have a CA Issuer URI with https in the certificate? Just guessing here as there is not enough information. And adobe specifics.