Configure CRL and delta CRL overlap period
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To configure CRL and delta CRL overlap period
Open Command Prompt.
Type:
certutil -setreg ca\CRLOverlapUnitsValue
certutil -setreg ca\CRLOverlapPeriodUnits
certutil -setreg ca\CRLDeltaOverlapUnits Value
certutil -setreg ca\DeltaOverlapPeriodUnits
Open Certification Authority.
In the console tree, click the name of the certification authority (CA).
Where?
- Certification Authority (Computer)/CA name
On the Action menu, point to All Tasks, and click Stop Service to stop the service.
On the Action menu, point to All Tasks, and click Start Service to start the service.
| Value | Description |
|---|---|
certutil |
Specifies the name of the command-line program. |
-setreg |
Modifies the registry. |
ca\CRLOverlapUnits |
Indicates the registry value that stores the value for the CRL overlap setting. |
ca\CRLDeltaOverlapUnits |
Indicates the registry value that stores the value for the delta CRL overlap setting. |
Value |
Provides the numerical value to set this option to. |
ca\CRLOverlapPeriod |
Indicates the registry value that stores the value for the CRL overlap unit type setting. |
ca\DeltaOverlapPeriod |
Indicates the registry value that stores the value for the delta CRL overlap unit type setting. |
Units |
Provides the type of units for the overlap period. Valid values are Minutes and Hours. |
Caution
- Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.
To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority.
The maximum value for either the CRL or delta CRL overlap period is 12 hours.
The overlap period for CRLs is the amount of time at the end of a published CRLs lifetime that a client can use to obtain a new CRL before the old CRL is considered unusable. The default setting for this value is 10% of the CRL lifetime. Because some environments may require longer periods to replicate a CRL, this setting can be configured manually.
When both a base CRL and delta CRL have been recently published, a revoked certificate may appear in both. This is because the newer delta CRL may still point at the older base CRL while the new base CRL is being replicated. Having the certificate appear in both CRLs ensures the revocation information is available.
If your environment is not configured to issue delta CRLs, the settings for CRLDeltaOverlapUnits and DeltaOverlapPeriod will have no effect.
To view the complete syntax for this command, at a command prompt, type:
certutil -setreg -?
Information about functional differences
- Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.
See Also
Concepts
Manually publish the certificate revocation list
Schedule the publication of the delta certificate revocation list
Revoking certificates and publishing CRLs
Start or stop the certification authority service