Configure CRL Publication

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

When you have updated the CDP extensions on the CA, you need to publish a new CRL so that all clients can access the new CRL data. For more information about configuring CRL publication, see "Manage Certificate Revocation" in Help and Support Center for Windows Server 2003.

Modifying the Default Certificate Publication Period

Certificates that are revoked prior to expiration remain in a published base CRL for one full base CRL period (defined by the CA) after they expire. Certificates that expire are no longer included in published CRLs after one additional base CRL expires.

Although applications do not check CRLs for certificates that have expired, you might in some cases want to maintain a public list of signing certificates that have been revoked. You can enable a registry setting on a CA to ensure that revoked certificates that have expired are not removed from the CRL.

To modify the default CRL publication period for revoked and expired certificates on a CA

  • At the command prompt, type:

    certutil –setreg ca\CRLFlags +CRLF_PUBLISH_EXPIRED_CERT_CRLS
    

Warning

Consider that large CRLs can cause performance issues for certificate clients and domain controllers. For more information on what could cause large CRLs, see TechNet Wiki article Large CRLs: What is added to a Certificate Revocation List (CRL)?

Ensuring Application Reliability

Many applications rely on CRL availability and fail if the CRL is inaccessible or out-of-date. Follow these guidelines when publishing CRLs to ensure the reliability of your applications:

  • Configure the CRL to be valid for a long enough period of time to allow for the recovery of the CA if there is a hardware or software failure.

  • Set a reasonable CRL overlap period to protect against CRL publication or replication failures.

  • Keep the private key of the CA and a copy of the CRL in a secure offline location so that you can sign and publish a valid CRL manually by using Certutil.exe when a catastrophic failure occurs.

  • Use Active Directory to publish CRLs whenever possible. This maximizes availability and network performance. However, always consider the amount of time needed to replicate Active Directory data between domain controllers.

  • Do not publish CRLs to Active Directory when the CRL publication period is shorter than the replication convergence time for the Active Directory forest.

  • To prevent the use of a logon certificate, disable the account in Active Directory.

Controlling CRL Size

You can partition a base CRL to control its size. In this way, you can control the amount of data that is replicated to Active Directory and the size of the data object that clients download when they perform revocation checks on certificates. You partition base CRLs by renewing the CA key. This creates a partitioned CRL for all certificates that are issued after the key is renewed.

The CRL increases by about 29 bytes for every certificate that is revoked, depending on the reasons that you specify for the revocation. You might want to use a new key to renew the CA every time it reaches 100-125 kilobytes (KB) in size, to minimize download times. This strategy is based on the assumption that approximately 10 percent of the certificates that you issue are revoked before their natural expiration date. If your actual or planned revocation rate is higher or lower than this, adjust your key renewal strategy as needed.

Removing Expired CRLs

By default, a CA maintains an expired CRL in the database and keeps it in the directory at the last known CDP publication point.

When the key for a CA expires, the CA continues to publish CRLs that are signed by the expired CA certificate. It is recommended that you maintain this CRL in the CA database to allow for long-term validation and auditing. You can, however, remove the CRL to clean out the database.

To remove a CRL after a CA key expires

  • At the command prompt, type:

       certutil –setreg ca\CRLFlags + CRLF_DELETE_EXPIRED_CRLS