Remove Expired CRLs

By default, a CA will maintain an expired CRL in the database and will keep this CRL also in the directory at the last known CDP publication point for historical purposes. Once the key of a CA expires, the CRL is published one final time and no additional changes are made to that CRL. A best practice is to maintain this CRL in the CA database for long-term validation and audit purposes. However, it may be removed by using the following command:

certutil –setreg ca\CRLFlags +CRLF_DELETE_EXPIRED_CRLS  

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s