You can adjust the relationship between a certificate revocation list (CRL) and delta CRL by configuring an overlap period between the two. This setting is particularly useful when publication of the next base or delta CRL is delayed or the client is unable to obtain a new CRL or delta CRL at the scheduled publication time.
The overlap period for CRLs is the amount of time at the end of a published CRL's lifetime that a client can use to obtain a new CRL before the old CRL is considered unusable. The default setting for this value is 10 percent of the CRL's lifetime. Because some environments may require longer periods to replicate a CRL, this setting can be configured manually.
Note | |
The maximum value for either the CRL or delta CRL overlap period is 12 hours. |
When both a base CRL and delta CRL have been recently published, a revoked certificate may appear in both CRLs. This is because the newer delta CRL may still point to the older base CRL while the new base CRL is being replicated. Having the certificate appear in both CRLs ensures the revocation information is available.
You must be a certification authority (CA) administrator to complete this procedure. For more information, see Implement Role-Based Administration.
To configure a CRL and delta CRL overlap period |
-
At a command prompt, type:
certutil -setreg ca\CRLOverlapUnits
Valuecertutil -setreg ca\CRLOverlapPeriod
Unitscertutil -setreg ca\CRLDeltaOverlapUnits
Valuecertutil -setreg ca\DeltaOverlapPeriod
Units -
Open the Certification Authority snap-in.
-
In the console tree, click the name of the CA.
-
On the Action menu, point to All Tasks, and click Stop Service to stop the service.
-
On the Action menu, point to All Tasks, and click Start Service to start the service.
Caution | |
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer. |
The following table lists the values that can be used in the Certutil syntax described in this procedure.
Value | Description |
---|---|
Certutil |
Specifies the name of the command-line tool. |
-setreg |
Modifies the registry. |
ca\CRLOverlapUnits |
Indicates the registry value that stores the value for the CRL overlap setting. |
ca\CRLDelataOverlapUnits |
Indicates the registry value that stores the value for the delta CRL overlap setting. |
Value |
Provides the numerical value to set this option to. |
ca\CRLOverlapPeriod |
Indicates the registry value that stores the value for the CRL overlap unit type setting. |
ca\DeltaOverlapPeriod |
Indicates the registry value that stores the value for the delta CRL overlap unit type setting. |
Units |
Provides the type of units for the overlap period. Valid values are Minutes, Hours, and Days. |
Note | |
If your environment is not configured to issue delta CRLs, the settings for CRLDeltaOverlapUnits and DeltaOverlapPeriod will have no effect. |
Additional considerations
- To open a command prompt, click Start,
point to All Programs, click Accessories, and then
click Command Prompt.