- Public Key Infrastructure Part 1 – introduction to encryption and signature
- Public Key Infrastructure Part 2 – main components
- Public Key Infrastructure Part 3 – implement a PKI with Active Directory Certificate Services
- Public Key Infrastructure Part 4 – Configure CRL
- Public Key Infrastructure Part 5 – Registry key, certutil and Active Directory
- Public Key Infrastructure Part 6 – Manage certificate templates
- Public Key Infrastructure Part 7 – Enrollment and Autoenrollment
- Public Key Infrastructure Part 8 – OCSP responder
- Public Key Infrastructure Part 9 – Management accounts
- Public Key Infrastructure Part 10 – Best practices about PKI
Certificate Revocation List
As seen in previous the part, Certificate Revocation List contains revoked certificate IDs (only non-expired revoked certificate). To determine if a certificate is revoked, the client downloads the CRL and verify if it is not in the CRL. The CRL is cached by the client for the duration of the validity period. By default, a CRL validity period is 1 week. That means that the CRL is updated on the Certificate Distribution Point (CDP) every week. So it can be a security issue because if a certificate is revoked during the validity period of the CRL, this last will not be updated on CDP and the client will not know that the certificate is revoked.
So if you are using only base CRL, do not configure a longer validity period to reduce the security issue period. In the other hand, do not publish too often the CRL to avoid network overload especially if your CRL is large. You have to find a golden mean.
Delta CRL
A delta CRL contains revoked certificate IDs (only non-expired revoked certificate) since the last CRL has been published. To determine if a certificate is revoked, the client downloads the CRL (will be cached) and the Delta CRL. By default the CRL is published every day.
Delta CRL is used when the CRL becomes very large. In this case the CRL is published less frequently and Delta CRL is downloaded more frequently.
CRL overlap
When using CRL overlap, two CRL is published at different times. For example, suppose that CRL has a validity period of 4 days. So the first CRL is published and the second will be published two days after.
CRL overlaps is used to be sure that a new CRL is available before that the first CRL is expired. When you store the CRL in Active Directory and you have many sites, the CRL propagation depends on DFS replication. So it is necessary to allow time for replication. So in this case, CRL overlaps can be used. By default on Active Directory Certificate Services solution, the overlap period is 10% of the CRL lifetime and 12 hours at maximum.
Configure CRL
Below commands configure the CRL validity period to 6 days:
certutil -setreg CA\CRLPeriodUnits 6 certutil -setreg CA\CRLPeriod "Days"
Below commands configure the Delta CRL validity period to 1 days:
certutil -setreg CA\CRLDeltaPeriodUnits 1 certutil –setreg CA\CRLDeltaPeriod "Days"
Below commands configure the overlap period to 2 hours:
certutil -setreg CA\CRLOverlapPeriod "hours" certutil -setreg CA\CRLOverlapUnits 2
Hi, thanks for your great posts, the value of following code shall be corrected. otherwise gives invalid data error!
certutil -setreg CA\CRLOverlapPeriod 2 ————change to—-> certutil -setreg CA\CRLOverlapPeriod “Hours”
certutil -setreg CA\CRLOverlapUnits “hours” ——-change to—-> certutil -setreg CA\CRLOverlapUnits 2
Hi Reza,
Thank you. I correct my post.
Hello Romain,
I am trying to publish CRL to file share location which is on a different server in the environment joined to the domain. Though i am able to publish the CRL to the file share ,but when i open my ‘PKIVIEW.msc’ to check for the CDPs and AIAs it shows that the CDP cannot be downloaded. I have also checked from the client computers using the ‘certutil –url abc.cer’ command but there also the CDP shows unreachable.
(abc.cer -> Certificate issued to clients)
The permissions which i have applied are :
1. the CRL folder is in C drive of the server.
2. I have given modify permissions to the CA computer and the administrator on that shared folder.
3. I have also given security permissions to the CA computer.
4. I have configured the CRL as ->
file://\\Server1.contoso.com\dump\<CaName.crl
(Note -> I have also tried a different format for the url but still the CRLS gets published to the file share but through PKIVIEW.msc and client computers it is not getting downloaded.)
5. I am not using delta CRL. The duration of Base CRL is 1 weeks.
Thanks and Regards,
Rahul Kumar
Have you tried to download the CRL from a web browser ?
Hi,
Should these changes be applied on the root ca, sub ca, or for both?
Also, you ever have time would you mind writing page on this tutorial about installing the web enrollment component?
thanks,
Mike