Configure CRL and Delta CRL Overlap Periods

Applies To: Windows Server 2008 R2, Windows Server 2012

You can adjust the relationship between a certificate revocation list (CRL) and delta CRL by configuring an overlap period between the two. This setting is particularly useful when publication of the next base or delta CRL is delayed or the client is unable to obtain a new CRL or delta CRL at the scheduled publication time.

The overlap period for CRLs is the amount of time at the end of a published CRL's lifetime that a client can use to obtain a new CRL before the old CRL is considered unusable. The default setting for this value is 10 percent of the CRL's lifetime. Because some environments may require longer periods to replicate a CRL, this setting can be configured manually.

Note

If no value is set manually, the CRL or delta CRL overlap period will be a maximum of 12 hours. If manually configured, the overlap period cannot exceed the publishing period.

When both a base CRL and delta CRL have been recently published, a revoked certificate may appear in both CRLs. This is because the newer delta CRL may still point to the older base CRL while the new base CRL is being replicated. Having the certificate appear in both CRLs ensures the revocation information is available.

You must be a certification authority (CA) administrator to complete this procedure. For more information, see Implement Role-Based Administration. You must also open the command prompt as an administrator.

To configure a CRL and delta CRL overlap period

  1. At a command prompt, type:

    certutil -setreg ca\CRLOverlapUnits Value

    certutil -setreg ca\CRLOverlapPeriod Units

    certutil -setreg ca\CRLDeltaOverlapUnits Value

    certutil -setreg ca\CRLDeltaOverlapPeriod Units

  2. Open the Certification Authority snap-in.

  3. In the console tree, click the name of the CA.

  4. On the Action menu, point to All Tasks , and click Stop Service to stop the service.

  5. On the Action menu, point to All Tasks , and click Start Service to start the service.

Warning

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.

The following table lists the values that can be used in the Certutil syntax described in this procedure.

Value Description

Certutil

Specifies the name of the command-line tool.

-setreg

Modifies the registry.

ca\CRLOverlapUnits

Indicates the registry value that stores the value for the CRL overlap setting.

ca\CRLDelataOverlapUnits

Indicates the registry value that stores the value for the delta CRL overlap setting.

Value

Provides the numerical value to set this option to.

ca\CRLOverlapPeriod

Indicates the registry value that stores the value for the CRL overlap unit type setting.

ca\DeltaOverlapPeriod

Indicates the registry value that stores the value for the delta CRL overlap unit type setting.

Units

Provides the type of units for the overlap period. Valid values are Minutes, Hours, and Days.

Note

If your environment is not configured to issue delta CRLs, the settings for CRLDeltaOverlapUnits and DeltaOverlapPeriod will have no effect.

Additional considerations

  • To open a command prompt, click Start , point to All Programs , click Accessories , and then click Command Prompt .

Tip

Starting with Windows Vista® and Windows Server® 2008 you must ensure that you run the Command Prompt as an administrator. To do so, right-click Command Prompt and then click Run as administrator .

Additional references