Historical Content Alert

This is a historical content for Windows 2000 product and is presented for informative purposes only. All content on this page is copyrighted and owned by Microsoft.

Revoking certificates and publishing CRLs

You can use the Certification Authority snap-in to revoke a certificate, to administer certificate revocation list (CRL) publication, and to specify the CRL Distribution Points (CDPs) published in every certificate issued by the certification authority (CA).

Revoking a certificate

To help maintain the integrity of an organization's public key infrastructure (PKI), the administrator of a CA has to revoke a certificate if the subject of certificate leaves the organization, or if the certificate subject's private key has been compromised, or if some other security-related event dictates that it is no longer desirable to have a certificate considered "valid." When a certificate is revoked by a CA, it is added to that CA's certificate revocation list (CRL).

For conceptual information about the role of certificate revocation and revocation checking in a PKI, see Certificate revocation. For the procedure to revoke a certificate, see Revoke an issued certificate. For instructions on how to display the current CRL, see View the certificate revocation list.

Scheduling certificate revocation list (CRL) publication

One of the features of Certificate Services is that every CA automatically publishes an updated CRL after an interval of time specified by the administrator of the CA. This interval of time is known as the CRL "publish period". After the initial setup of a CA, the CRL publish period is set to one week (based upon the local computer's time, starting from the date when the CA is first installed). You can change a certification authority's CRL publishing interval using the procedure Schedule the publication of the certificate revocation list.

A CA administrator should understand that there is a difference between a CRL publish period and the validity period of a CRL. The "validity period" of a CRL is the period of time that the CRL is considered authoritative by a verifier of a certificate. As long as the verifier of a certificate has a valid CRL in its local cache, it will not attempt to retrieve another CRL from the CA which publishes it.

The publish period of a CRL is established by the CA administrator. However, the validity period of the CRL is extended from the publish period to allow for Active Directory replication. By default, Certificate Services extends the publish period by 10% (up to a maximum of 12 hrs) to establish the validity period. So, for example, if a CA is publishing a CRL every 24 hours, the validity period is set to 26.4 hours.

Additionally, there is a clock skew of an additional 10 minutes added to the validity period on either side of the publish period, so a CRL will be valid 10 minutes before the beginning of its publish period to account for variances in computer clock settings.

There are registry entries which allow an administrator to control the variance between publish period and validity period to allow for slower directory replication. Refer to the Windows 2000 Resource Kits for information about these registry entries.

Publishing a certificate revocation list (CRL) before the next scheduled publish period

You can also publish a CRL on demand by using the CRL Publishing wizard. The publishing parameters you select using the CRL Publishing wizard will not modify the scheduled publication period. In other words, if you manually publish a CRL in the middle of a scheduled publish period, the CRL will still be automatically republished at the end of the current publish period.

It's important to realize that clients that have a cached copy of the previously published CRL will continue using it until its validity period has expired, even though a new CRL has been published. Manually publishing a CRL does not affect cached copies of CRLs that are still valid; it only makes a new CRL available for systems that do not have a cached copy of a valid CRL.

See Manually publish the certificate revocation list for the procedure to force the immediate publication of a CRL.

CRL distribution points and the CRL file name

Every certificate that is issued by a Windows 2000 certification authority has CRL distribution points as part of its content. A CRL distribution point provides a certificate verifier with the network location where it can retrieve the current copy of the CRL. For procedures to designate the certificate revocation list distribution points in certificates, see Specify certificate revocation list distribution points in issued certificates.

By default, a CRL file is published on the CA in the following location:

Systemroot\System32\Certsrv\Certenroll

The format of the CRL file name is the "sanitized name" of the CA plus, in parentheses, the "key id" of the CA (if the CA certificate has been renewed with a new key) and a .crl extension. Refer to the table for some sample CRL file names based on sample renewal histories of a CA:

Scenario Name of CRL file
A certification authority named "MyCA" that has never had its CA certificate renewed myca.crl
A certification authority named "MyCA" that has been renewed once with the same key myca.crl
A certification authority named "MyCA" that has been renewed once with a new key myca(1).crl
A certification authority named "MyCA" that has been renewed 4 times, twice with a new key myca(2).crl

See Installing and configuring a certification authority for information about a CA's "sanitized name."

See Renewing a certification authority for more information about CA renewal.

Enabling Netscape-compatible Web-based revocation checking

To enable Netscape-compatible Web-based revocation check extensions to be added to every certificate, run the following certutil command from the command prompt on the certification authority:

certutil -SetReg Policy\RevocationType +AspEnable

Then, stop and start the Certification Authority service. Certificates issued by the certification authority after it is restarted will contain the extension. For more information on the certutil command, see CertUtil


Share this article: