In some scenarios, it may not be possible to publish a CRL from an offline CA. In this case, with Windows Server , the old CRL may be re-signed without using the certification authority. This process assumes the availability of the CA private key(s) outside of the CA to actually sign the CRL. To update an expiring CRL, the old CRL file will need to be retrieved first. It will be available in Active Directory if the CA is an EnterpriseCA or if Active Directory was accessible when the CA was installed, or in the %windir%\System32\CertSrv\CertEnroll directory on the CA machine itself.
The simple syntax for re-signing a CRL is
certutil -sign <existing CRL file name> <resigned CRL file name>
You can also add or remove serial numbers, or remove extensions, or change the length of time the CRL will be valid through the certutil.exe –sign command.
The default is to re-sign the CRL to be valid starting 10 minutes prior to the signature (to allow for clock skew), and a lifetime (NextUpdate) equal to the old CRL. Use the following command to publish the CRL to Active Directory. Certutil will state whether the object in Active Directory was updated or if it was already up-to-date.
certutil -dspublish <resigned CRL file name>