Manage Revocation Data by Using Local CRLs

  • Article

Applies To: Windows Server 2008 R2

Ideally, certificate revocation data is managed in a central location and immediately made available to all potential users. But this is not always possible in complex network environments.

Organizations that use Online Responders, however, can create a local certificate revocation list (CRL) to manage certificate revocation data locally during intervals when the Online Responder is unable to obtain updated revocation data from a certification authority (CA) or other Online Responder. The next time a connection is established, you can replicate local CRL data back to the CA CRL and remove the local CRL. Until it is removed, the local CRL will always take precedence over the revocation status information from the revocation provider.

You must have Manage Online Responder permissions on the server hosting the Online Responder to complete this procedure. For more information about administering a public key infrastructure (PKI), see Implement Role-Based Administration.

To modify certificate data in a local CRL

  1. Open the Online Responder snap-in.

  2. In the console tree, click Revocation Configuration.

    A list of existing revocation configurations appears in the details pane.

  3. Right-click a revocation configuration, and click Local Certificate Revocation List.

  4. In the Local Certificate Revocation List dialog box, select the certificate whose data you want to modify.

  5. Click Update.

  6. Modify the values that you want to change.

  7. Click OK twice to exit the Local Certificate Revocation List dialog box.

When your local revocation data has been synchronized with the revocation data for the entire CA, you should delete all data from the local CRL.

You must have Manage Online Responder permissions on the server hosting the Online Responder to complete this procedure. For more information about administering a PKI, see Implement Role-Based Administration.

To delete one or more certificates from a local CRL

  1. Open the Online Responder snap-in.

  2. In the console tree, click Revocation Configuration.

    A list of existing revocation configurations appears in the details pane.

  3. Right-click a revocation configuration, and click Local Certificate Revocation List.

  4. In the Local Certificate Revocation List dialog box, select the certificate or certificates you want to remove from the local CRL.

  5. Click Remove.

  6. Click OK twice to exit the Local Certificate Revocation List dialog box.

Additional references