Home / Security / Public Key Infrastructure Part 4 – Configure Certificate Revocation List

Public Key Infrastructure Part 4 – Configure Certificate Revocation List

Certificate Revocation List

As seen in previous the part, Certificate Revocation List contains revoked certificate IDs (only non-expired revoked certificate). To determine if a certificate is revoked, the client downloads the CRL and verify if it is not in the CRL. The CRL is cached by the client for the duration of the validity period. By default, a CRL validity period is 1 week. That means that the CRL is updated on the Certificate Distribution Point (CDP) every week. So it can be a security issue because if a certificate is revoked during the validity period of the CRL, this last will not be updated on CDP and the client will not know that the certificate is revoked.

So if you are using only base CRL, do not configure a longer validity period to reduce the security issue period. In the other hand, do not publish too often the CRL to avoid network overload especially if your CRL is large. You have to find a golden mean.

Delta CRL

A delta CRL contains revoked certificate IDs (only non-expired revoked certificate) since the last CRL has been published. To determine if a certificate is revoked, the client downloads the CRL (will be cached) and the Delta CRL. By default the CRL is published every day.

Delta CRL is used when the CRL becomes very large. In this case the CRL is published less frequently and Delta CRL is downloaded more frequently.

CRL overlap

When using CRL overlap, two CRL is published at different times. For example, suppose that CRL has a validity period of 4 days. So the first CRL is published and the second will be published two days after.

CRL overlaps is used to be sure that a new CRL is available before that the first CRL is expired. When you store the CRL in Active Directory and you have many sites, the CRL propagation depends on DFS replication. So it is necessary to allow time for replication. So in this case, CRL overlaps can be used. By default on Active Directory Certificate Services solution, the overlap period is 10% of the CRL lifetime and 12 hours at maximum.

Configure CRL

Below commands configure the CRL validity period to 6 days:

certutil -setreg CA\CRLPeriodUnits 6
certutil -setreg CA\CRLPeriod "Days"

 Below commands configure the Delta CRL validity period to 1 days:

certutil -setreg CA\CRLDeltaPeriodUnits 1
certutil –setreg CA\CRLDeltaPeriod "Days"

 Below commands configure the overlap period to 2 hours:

certutil -setreg CA\CRLOverlapPeriod "hours"
certutil -setreg CA\CRLOverlapUnits 2

About Romain Serre

Romain Serre works in Lyon as a Senior Consultant. He is focused on Microsoft Technology, especially on Hyper-V, System Center, Storage, networking and Cloud OS technology as Microsoft Azure or Azure Stack. He is a MVP and he is certified Microsoft Certified Solution Expert (MCSE Server Infrastructure & Private Cloud), on Hyper-V and on Microsoft Azure (Implementing a Microsoft Azure Solution).

2 comments

  1. Hi, thanks for your great posts, the value of following code shall be corrected. otherwise gives invalid data error!
    certutil -setreg CA\CRLOverlapPeriod 2 ————change to—-> certutil -setreg CA\CRLOverlapPeriod “Hours”
    certutil -setreg CA\CRLOverlapUnits “hours” ——-change to—-> certutil -setreg CA\CRLOverlapUnits 2

Leave a Reply

Your email address will not be published. Required fields are marked *

*

x

Check Also

Public Key Infrastructure Part 7 – Enrollment and Auto-enrollment

Public Key Infrastructure Part 1 – introduction to encryption and signature Public Key Infrastructure Part ...

Public Key Infrastructure Part 6 – Manage certificate templates

Public Key Infrastructure Part 1 – introduction to encryption and signature Public Key Infrastructure Part ...

Public Key Infrastructure Part 5 – Registry key, certutil and Active Directory

Public Key Infrastructure Part 1 – introduction to encryption and signature Public Key Infrastructure Part ...