You can adjust the relationship between a certificate revocation list (CRL) and delta CRL by configuring an overlap period between the two. This setting is particularly useful when publication of the next base or delta CRL is delayed or the client is unable to obtain a new CRL or delta CRL at the scheduled publication time.

The overlap period for CRLs is the amount of time at the end of a published CRL's lifetime that a client can use to obtain a new CRL before the old CRL is considered unusable. The default setting for this value is 10 percent of the CRL's lifetime. Because some environments may require longer periods to replicate a CRL, this setting can be configured manually.

Note

The maximum value for either the CRL or delta CRL overlap period is 12 hours.

When both a base CRL and delta CRL have been recently published, a revoked certificate may appear in both CRLs. This is because the newer delta CRL may still point to the older base CRL while the new base CRL is being replicated. Having the certificate appear in both CRLs ensures the revocation information is available.

You must be a certification authority (CA) administrator to complete this procedure. For more information, see Implement Role-Based Administration.

To configure a CRL and delta CRL overlap period
  1. At a command prompt, type:

    certutil -setreg ca\CRLOverlapUnits Value

    certutil -setreg ca\CRLOverlapPeriod Units

    certutil -setreg ca\CRLDeltaOverlapUnits Value

    certutil -setreg ca\DeltaOverlapPeriod Units

  2. Open the Certification Authority snap-in.

  3. In the console tree, click the name of the CA.

  4. On the Action menu, point to All Tasks, and click Stop Service to stop the service.

  5. On the Action menu, point to All Tasks, and click Start Service to start the service.

Caution

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.

The following table lists the values that can be used in the Certutil syntax described in this procedure.

Value Description

Certutil

Specifies the name of the command-line tool.

-setreg

Modifies the registry.

ca\CRLOverlapUnits

Indicates the registry value that stores the value for the CRL overlap setting.

ca\CRLDelataOverlapUnits

Indicates the registry value that stores the value for the delta CRL overlap setting.

Value

Provides the numerical value to set this option to.

ca\CRLOverlapPeriod

Indicates the registry value that stores the value for the CRL overlap unit type setting.

ca\DeltaOverlapPeriod

Indicates the registry value that stores the value for the delta CRL overlap unit type setting.

Units

Provides the type of units for the overlap period. Valid values are Minutes, Hours, and Days.

Note

If your environment is not configured to issue delta CRLs, the settings for CRLDeltaOverlapUnits and DeltaOverlapPeriod will have no effect.

Additional considerations

  • To open a command prompt, click Start, point to All Programs, click Accessories, and then click Command Prompt.

Additional references