- Public Key Infrastructure Part 1 – introduction to encryption and signature
- Public Key Infrastructure Part 2 – main components
- Public Key Infrastructure Part 3 – implement a PKI with Active Directory Certificate Services
- Public Key Infrastructure Part 4 – Configure CRL
- Public Key Infrastructure Part 5 – Registry key, certutil and Active Directory
- Public Key Infrastructure Part 6 – Manage certificate templates
- Public Key Infrastructure Part 7 – Enrollment and Autoenrollment
- Public Key Infrastructure Part 8 – OCSP responder
- Public Key Infrastructure Part 9 – Management accounts
- Public Key Infrastructure Part 10 – Best practices about PKI
Certificate Revocation List
As seen in previous the part, Certificate Revocation List contains revoked certificate IDs (only non-expired revoked certificate). To determine if a certificate is revoked, the client downloads the CRL and verify if it is not in the CRL. The CRL is cached by the client for the duration of the validity period. By default, a CRL validity period is 1 week. That means that the CRL is updated on the Certificate Distribution Point (CDP) every week. So it can be a security issue because if a certificate is revoked during the validity period of the CRL, this last will not be updated on CDP and the client will not know that the certificate is revoked.
So if you are using only base CRL, do not configure a longer validity period to reduce the security issue period. In the other hand, do not publish too often the CRL to avoid network overload especially if your CRL is large. You have to find a golden mean.
A delta CRL contains revoked certificate IDs (only non-expired revoked certificate) since the last CRL has been published. To determine if a certificate is revoked, the client downloads the CRL (will be cached) and the Delta CRL. By default the CRL is published every day.
Delta CRL is used when the CRL becomes very large. In this case the CRL is published less frequently and Delta CRL is downloaded more frequently.
When using CRL overlap, two CRL is published at different times. For example, suppose that CRL has a validity period of 4 days. So the first CRL is published and the second will be published two days after.
CRL overlaps is used to be sure that a new CRL is available before that the first CRL is expired. When you store the CRL in Active Directory and you have many sites, the CRL propagation depends on DFS replication. So it is necessary to allow time for replication. So in this case, CRL overlaps can be used. By default on Active Directory Certificate Services solution, the overlap period is 10% of the CRL lifetime and 12 hours at maximum.
Below commands configure the CRL validity period to 6 days:
certutil -setreg CA\CRLPeriodUnits 6 certutil -setreg CA\CRLPeriod "Days"
Below commands configure the Delta CRL validity period to 1 days:
certutil -setreg CA\CRLDeltaPeriodUnits 1 certutil –setreg CA\CRLDeltaPeriod "Days"
Below commands configure the overlap period to 2 hours:
certutil -setreg CA\CRLOverlapPeriod "hours" certutil -setreg CA\CRLOverlapUnits 2