Public Key Infrastructure Part 4 – Configure Certificate Revocation List

Certificate Revocation List

As seen in previous the part, Certificate Revocation List contains revoked certificate IDs (only non-expired revoked certificate). To determine if a certificate is revoked, the client downloads the CRL and verify if it is not in the CRL. The CRL is cached by the client for the duration of the validity period. By default, a CRL validity period is 1 week. That means that the CRL is updated on the Certificate Distribution Point (CDP) every week. So it can be a security issue because if a certificate is revoked during the validity period of the CRL, this last will not be updated on CDP and the client will not know that the certificate is revoked.

So if you are using only base CRL, do not configure a longer validity period to reduce the security issue period. In the other hand, do not publish too often the CRL to avoid network overload especially if your CRL is large. You have to find a golden mean.

Delta CRL

A delta CRL contains revoked certificate IDs (only non-expired revoked certificate) since the last CRL has been published. To determine if a certificate is revoked, the client downloads the CRL (will be cached) and the Delta CRL. By default the CRL is published every day.

Delta CRL is used when the CRL becomes very large. In this case the CRL is published less frequently and Delta CRL is downloaded more frequently.

CRL overlap

When using CRL overlap, two CRL is published at different times. For example, suppose that CRL has a validity period of 4 days. So the first CRL is published and the second will be published two days after.

CRL overlaps is used to be sure that a new CRL is available before that the first CRL is expired. When you store the CRL in Active Directory and you have many sites, the CRL propagation depends on DFS replication. So it is necessary to allow time for replication. So in this case, CRL overlaps can be used. By default on Active Directory Certificate Services solution, the overlap period is 10% of the CRL lifetime and 12 hours at maximum.

Configure CRL

Below commands configure the CRL validity period to 6 days:

certutil -setreg CA\CRLPeriodUnits 6
certutil -setreg CA\CRLPeriod "Days"

 Below commands configure the Delta CRL validity period to 1 days:

certutil -setreg CA\CRLDeltaPeriodUnits 1
certutil –setreg CA\CRLDeltaPeriod "Days"

 Below commands configure the overlap period to 2 hours:

certutil -setreg CA\CRLOverlapPeriod "hours"
certutil -setreg CA\CRLOverlapUnits 2

About Romain Serre

Romain Serre works in Lyon as a Senior Consultant. He is focused on Microsoft Technology, especially on Hyper-V, System Center, Storage, networking and Cloud OS technology as Microsoft Azure or Azure Stack. He is a MVP and he is certified Microsoft Certified Solution Expert (MCSE Server Infrastructure & Private Cloud), on Hyper-V and on Microsoft Azure (Implementing a Microsoft Azure Solution).

5 comments

  1. Hi, thanks for your great posts, the value of following code shall be corrected. otherwise gives invalid data error!
    certutil -setreg CA\CRLOverlapPeriod 2 ————change to—-> certutil -setreg CA\CRLOverlapPeriod “Hours”
    certutil -setreg CA\CRLOverlapUnits “hours” ——-change to—-> certutil -setreg CA\CRLOverlapUnits 2

  2. Hello Romain,

    I am trying to publish CRL to file share location which is on a different server in the environment joined to the domain. Though i am able to publish the CRL to the file share ,but when i open my ‘PKIVIEW.msc’ to check for the CDPs and AIAs it shows that the CDP cannot be downloaded. I have also checked from the client computers using the ‘certutil –url abc.cer’ command but there also the CDP shows unreachable.

    (abc.cer -> Certificate issued to clients)

    The permissions which i have applied are :

    1. the CRL folder is in C drive of the server.

    2. I have given modify permissions to the CA computer and the administrator on that shared folder.

    3. I have also given security permissions to the CA computer.

    4. I have configured the CRL as ->
    file://\\Server1.contoso.com\dump\<CaName.crl

    (Note -> I have also tried a different format for the url but still the CRLS gets published to the file share but through PKIVIEW.msc and client computers it is not getting downloaded.)

    5. I am not using delta CRL. The duration of Base CRL is 1 weeks.

    Thanks and Regards,
    Rahul Kumar

  3. Hi,
    Should these changes be applied on the root ca, sub ca, or for both?

    Also, you ever have time would you mind writing page on this tutorial about installing the web enrollment component?

    thanks,
    Mike

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

x

Check Also

Public Key Infrastructure Part 8 – OCSP responder

Public Key Infrastructure Part 1 – introduction to encryption and signature Public Key Infrastructure Part ...

Public Key Infrastructure Part 7 – Enrollment and Auto-enrollment

Public Key Infrastructure Part 1 – introduction to encryption and signature Public Key Infrastructure Part ...

Public Key Infrastructure Part 6 – Manage certificate templates

Public Key Infrastructure Part 1 – introduction to encryption and signature Public Key Infrastructure Part ...