PKI – CRL Re-sign

In some scenarios, it may not be possible to publish a CRL from an offline CA. In this case, with Windows Server , the old CRL may be re-signed without using the certification authority. This process assumes the availability of the CA private key(s) outside of the CA to actually sign the CRL. To update an expiring CRL, the old CRL file will need to be retrieved first. It will be available in Active Directory if the CA is an EnterpriseCA or if Active Directory was accessible when the CA was installed, or in the %windir%\System32\CertSrv\CertEnroll directory on the CA machine itself.

The simple syntax for re-signing a CRL is

certutil -sign <existing CRL file name> <resigned CRL file name>

You can also add or remove serial numbers, or remove extensions, or change the length of time the CRL will be valid through the certutil.exe –sign command.

The default is to re-sign the CRL to be valid starting 10 minutes prior to the signature (to allow for clock skew), and a lifetime (NextUpdate) equal to the old CRL. Use the following command to publish the CRL to Active Directory. Certutil will state whether the object in Active Directory was updated or if it was already up-to-date.

certutil -dspublish <resigned CRL file name>

3 comments on “PKI – CRL Re-sign

  1. Thanks a bunch for sharing this with all of us you actually realize what you’re talking approximately! Bookmarked. Kindly also visit my web site . We will have a hyperlink exchange arrangement among us! dadackddddde

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s