Revoking Large Numbers of Certificates

When a large number of certificates are revoked, such as during an employee layoff, the Delta CRL size may increase significantly due to the large number of entries, and almost all clients will refer to the older Base CRL. This situation will happen even if a new base CRL is published right after the revocation of the certificate until the new base is fully propagated.

To overcome this particular scenario where the Delta CRL is very large, perform the following steps on the CA:

  • Modify the registry values under the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<Name of CA>

    • Set the CRLOverLapPeriod to minutes. The default is hours
    • Set the ClockSkewMinutes to 1minute. The default is 10.
  • Restart the CA.
  • Publish a new Base CRL. The Base CRL will have a CRLPropagationComplete time that will be just two minutes and any subsequent Delta CRLs will refer to this base CRL
  • Once this has been completed, you can then restore the CRLOverLapPeriod and ClockSkew to the default values.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s