How Office Performs Certificate Revocation

Microsoft® Office uses some of the security settings set by Microsoft Internet Explorer when it attempts to authenticate certificates of trust prior to use, even if the certificate is already accepted and present on a user's computer. Each time an Office application attempts to run an executable signed with an attached certificate, one of the following events occurs if the Check for publisher's certificate revocation check box is set to checked in the Internet Explorer Advanced settings dialog: either the server maintained by the certificate authority who issued the certificate is checked for a revocation status; or a cached file downloaded from that same certificate authority is examined (dependent on the update cycle of revocation information by the certificate authority). The only exception to this behavior is with a Microsoft ActiveX® control that was already installed if the certificate of trust associated with the control was already accepted and is present in the Trusted Publishers Store.

The Check for publisher's certificate revocation setting of Microsoft Internet Explorer is set to enabled by default during a non-customized installation of Internet Explorer. (In previous versions, certificate revocation was set to install in a disabled state.) Because Office inherits this setting from Internet Explorer, Office will automatically check for certificate revocation when installed. Administrators can turn off certificate revocation, but it is recommended that they keep this feature enabled.

This feature adds a slight amount of time to the handling of executables, because each application attempting to load and run a program with an associated certificate must determine whether a certificate has been listed as revoked. The certificate revocation check process can take even longer if the certificate revocation list is being downloaded for the first time from the certificate authority, or is being updated. However, once this list is cached to the user's local drive, the revocation check is relatively short. This entire process is dependent on access to the Internet.

To check whether certificate revocation is enabled

  1. Start Internet Explorer.
  2. Click Tools, click Internet Options, and then click the Advanced tab.
  3. Under the Security section of the tree view control, set the Check for publisher’s certificate revocation check box to checked.

 Note    If your company has chosen not to allow access to the Internet, or has closed off access to much of the Internet through a proxy server (firewall), it is recommended that you allow access to the various companies that provide certificate revocation checking so users can validate certificates of trust on a regular basis. Check with your network administrator or proxy server administrator for possible options you can explore to allow access to certificate revocation servers available from certificate authorities.


 
 
Applies to:
Deployment Center 2003