Establishing a CRL Publication Schedule

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

CAs publish CRLs listing the serial numbers of certificates that have been revoked according to an established publication schedule. The frequency of publication is based on the number of changes that take place in a given period of time, and how critical the need to maintain up-to-date revocation information is to your organization.

As you create your CRL policies, you need to specify publication schedules for CRLs. By default, enterprise CAs publish CRLs weekly to Active Directory, and stand-alone and enterprise CAs publish CRLs weekly to a directory on the CA server. For example, you can specify that certain CRLs are distributed to Web pages as well as to Active Directory, and that certain CRLs are published daily instead of weekly.

If you use delta CRLs, a typical publication schedule might look like this:

  • Publish base CRLs every week.

  • Publish delta CRLs every day.

The CRL schedule for the certificates of your issuing CA must account for potential network and server downtime. In addition, it must account for latency in Active Directory replication. For these reasons, make the CRL publication schedule longer than the maximum replication latency.

Make sure that your publication schedule is shorter than the validity period of the CRL. With a validity period of one week, your CRL will be up-to-date for most purposes. If you require an additional buffer to protect against interruptions in communications, you can publish the CRL every two days.

Your strategy for renewing CAs also impacts your CRL publication strategy. If you choose to reuse the existing key pair when you renew a certificate for a CA, the existing CRL covers certificates issued under both the old and new CA certificates. If you choose to renew certificates by using a new key pair for the CA, you need to issue one CRL for the certificates issued with the old key pair, and another CRL for certificates issued with the new key pair. Although both old and new certificates were issued by the same CA, the validity of the older certificates will be validated against one CRL, and the validity of the newer certificates will be validated against the other CRL.

Note

  • CRLs are published for all CA keys. You cannot selectively publish a CRL for only one CA key pair.