You must establish a regular publication schedule for certificate revocation data so that a highly accurate certificate revocation list (CRL) is always available to clients. When establishing this schedule, the need for accurate, up-to-date data must be balanced against the impact that frequent downloads of new CRLs can have on clients.
You must be a certification authority (CA) administrator to complete this procedure. For more information, see Implement Role-Based Administration.
|
To schedule the publication of the CRL |
-
Open the Certification Authority snap-in.
-
In the console tree, click Revoked Certificates.
-
On the Action menu, click Properties.
-
In CRL publication interval, type the increment and click the unit of time to use for the automatic publishing of the CRL.
At the defined interval, a new CRL will be published by default in the following folder: systemroot\system32\CertSrv\CertEnroll\. If the computer is a domain member and has permission to write to Active Directory Domain Services (AD DS), then the CRL is also published to AD DS.
The publishing period for a CRL is not the same as the validity period for a CRL. By default, the validity period of a CRL exceeds the publishing period of a CRL by 10 percent (up to a 12-hour maximum) to allow for directory replication.
Scheduling publication of delta CRLs
You can extend your CRL publication schedule by also establishing a schedule for the publication of delta CRLs.
You must be a CA administrator to complete this procedure. For more information, see Implement Role-Based Administration.
|
|
To schedule the publication of the delta CRL |
-
Open the Certification Authority snap-in.
-
In the console tree, click Revoked Certificates.
-
On the Action menu, click Properties.
-
Select the Publish Delta CRLs check box.
-
In Publication interval, type the increment and click the unit of time to use for the automatic publishing of the delta CRL.