Sysadmins LV
Vadims Podāns
Vadims Podāns
Microsoft Most Valuable Professional: Windows PowerShell
Protected by Copyscape DMCA Takedown Notice Search Tool

Posts on this page:

AD CS Partitioned CRLs - Partitioned CRL API and Events (Part 5)

Hello world! Here is the fifth and the last part of an "AD CS Partitioned CRLs - A Comprehensive Guide" blog post series.

All posts in this series:

In this post, I will cover new programming APIs changes in existing API and Windows Event Log events associated with partitioned CRLs.

Partitioned CRL APIs

All programming APIs refer to ICertRequest2 and ICertAdmin2 COM interfaces, which are main interfaces to interact with AD CS servers.

New APIs

 ICertRequest2/ICertAdmin::GetCAProperty received several new PropID parameters that allow to access per-partition CRLs and their publishing statuses.

All new APIs work only when partitioned CRLs are globally enabled. If partitioned CRLs are not enabled, all mentioned below APIs will fail with HRESULT=0x80070057.

  • PropID = 0x0000002E (CR_PROP_CRLPARTITIONCOUNT) "CRL Partitions Count"

Read more →

AD CS Partitioned CRLs - Recipe Guide (Part 4)

Hello S-1-1-0, here is the fourth part of an "AD CS Partitioned CRLs - A Comprehensive Guide" blog post series.

All posts in this series:

In previous post, I provided information about partitioned CRL design, description and configuration commands. This blog post will summarize this knowledge by providing quick guides to configure all partitioning strategies (A1, A2, B1 and B2) which you can use as a recipe template. Refer to Part 2 in this series for additional information aboud different CLR partitioning strategies.

Recipe Guide

This section will include configuration required by all subsequent sections.

Command examples include CRLPublicationURLs config setting, which is provided as an example to point how <CRLPartitionIndex> variable is defined and new flags in front of HTTP URL. Adapt URLs to match your environment.


Read more →

AD CS Partitioned CRLs - Configuration Components (part 3)

Hello world! Here is the third part of an "AD CS Partitioned CRLs - A Comprehensive Guide" blog post series.

All posts in this series:

In this part, I will explain Partitioned CRL configuration elements and their behavior.

In general, partitioned CRL consist of several configuration elements that MUST be configured in single batch. CA service will fail if any of mandatory configurations is not complete. Here is the list of all configuration options with indication which are mandatory:

  • Global enablement switch (mandatory)
  • Design strategy type
  • CRL partition count (mandatory)
  • Partition assignment algorithm
  • CDP extension configuration (mandatory)
  • Partition suspension

The following sections will go through each configuration element.


Read more →

AD CS Partitioned CRLs - Design Strategies (part 2)

Hello S-1-1-0, here is a second part of an "AD CS Partitioned CRLs - A Comprehensive Guide" blog post series.

All posts in this series:

In this part, I will explain Partitioned CRL strategies and their behavior. I will focus on partition zero handling and partition assignment randomization.

Partitioned CRL Concept

Just a brief recap of previous post: revoked certificates are uniformly (or close to it) distributed across different partitions. The following figure shows basic partitioning concept with five partitions:


Read more →

AD CS Partitioned CRLs - Introduction (part 1)

Hello all! This blog posts opens an "AD CS Partitioned CRLs - A Comprehensive Guide" blog post series. The first is an introduction.

All posts in this series:

Starting with 2025 10B update (October 14, 2025), AD CS on Windows Server 2019 and newer will receive a new feature called Partitioned Certificate Revocation List (CRL), or Partitioned CRL. CRL partitioning is a process of splitting single CRL into a set of smaller CRLs. The following updates will enable this feature:

Let's recall the need of partitioned CRL and current state of the subject before we dig into new update.


Read more →