You've successfully subscribed to Nuvotex Blog
Great! Next, complete checkout for full access to Nuvotex Blog
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

git on windows on CA's without crl (mostly pki)

If you're working with git and are using certificates without revocation lists on windows this article shows how you can disable ssl revocation checks on git client.

Daniel Nachtrub
Daniel Nachtrub

Propably most devs are running source control on git repositories today. Git has proven to be solid and scale even on largest repos.

Depending on your environment and security requirements/preferences you might be running the origin of your git repo on a private endpoint which is using certificates signed from a CA that doesn't provide a CRL. Propably every public CA out there is providing revocation lists - so this affects mostly PKI setups where there's no CRL endpoint available which is used to publish revocation lists.

Working with git on windows git might be using openssl backend - in this case we're switching to schannel (microsoft's implementation) and disabling the ssl revocation check.

git config --global http.sslbackend schannel
git config --global http.schannelCheckRevoke false
configure git

This will effectively disable ssl revocation checks on your git client - so set this only if you're aware about the implications related to this configuration. The better solution would be to provide CRL endpoints for your PKI and signed certificates, but this is rater a topic for some future blog posts ;-)

Hope this helps!


Daniel Nachtrub

Kind of likes computers. Linux foundation certified: LFCS / CKA / CKAD / CKS. Microsoft certified: Cybersecurity Architect Expert & Azure Solutions Architect Expert.