When a large number of certificates are revoked, such as during an employee layoff, the Delta CRL size may increase significantly due to the large number of entries, and almost all clients will refer to the older Base CRL. This situation will happen even if a new base CRL is published right after the revocation of the certificate until the new base is fully propagated.
To overcome this particular scenario where the Delta CRL is very large, perform the following steps on the CA:
- Modify the registry values under the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<Name of CA>
- Set the CRLOverLapPeriod to minutes. The default is hours
- Set the ClockSkewMinutes to 1minute. The default is 10.
- Restart the CA.
- Publish a new Base CRL. The Base CRL will have a CRLPropagationComplete time that will be just two minutes and any subsequent Delta CRLs will refer to this base CRL
- Once this has been completed, you can then restore the CRLOverLapPeriod and ClockSkew to the default values.