Comments on: Public Key Infrastructure Part 4 – Configure Certificate Revocation List

By: Romain Serre

Romain Serre — Wed, 25 Oct 2017 08:39:43 +0000

Have you tried to download the CRL from a web browser ?

By: Rahul Kumar

Rahul Kumar — Mon, 23 Oct 2017 07:09:39 +0000

Hello Romain,

I am trying to publish CRL to file share location which is on a different server in the environment joined to the domain. Though i am able to publish the CRL to the file share ,but when i open my ‘PKIVIEW.msc’ to check for the CDPs and AIAs it shows that the CDP cannot be downloaded. I have also checked from the client computers using the ‘certutil –url abc.cer’ command but there also the CDP shows unreachable.

(abc.cer -> Certificate issued to clients)

The permissions which i have applied are :

1. the CRL folder is in C drive of the server.

2. I have given modify permissions to the CA computer and the administrator on that shared folder.

3. I have also given security permissions to the CA computer.

4. I have configured the CRL as ->
file://\\Server1.contoso.com\dump\

(Note -> I have also tried a different format for the url but still the CRLS gets published to the file share but through PKIVIEW.msc and client computers it is not getting downloaded.)

5. I am not using delta CRL. The duration of Base CRL is 1 weeks.

Thanks and Regards,
Rahul Kumar

By: Romain Serre

Romain Serre — Tue, 28 Apr 2015 08:27:09 +0000

Hi Reza,

Thank you. I correct my post.

By: Reza Nirumand

Reza Nirumand — Mon, 27 Apr 2015 07:28:04 +0000

Hi, thanks for your great posts, the value of following code shall be corrected. otherwise gives invalid data error!
certutil -setreg CA\CRLOverlapPeriod 2 ————change to—-> certutil -setreg CA\CRLOverlapPeriod “Hours”
certutil -setreg CA\CRLOverlapUnits “hours” ——-change to—-> certutil -setreg CA\CRLOverlapUnits 2