1

I'm working with Microsoft's Public Key Infrastructure (PKI) and I'm interested to know more about how the expiration date of a CRL is determined and how it can be adjusted in a Microsoft PKI environment.

enter image description here

Specifically:

What factors and configurations determine the default expiration date/period for CRLs in Microsoft PKI? e.g. CRL itself is valid for 2 days, one week or six months

How can the CRL expiration date be modified or extended to better align with our organization's security policies and certificate lifecycle?

I'm aware of the difference between the CRL publication interval and the CRL expiration date. However, I'm interested in understanding the factors and configurations that influence the CRL expiration date.

Improve this question
1
  • What factors and configurations determine the default expiration date/period for CRLs in Microsoft PKI? Internally the default is best guess if not specified. This is typically way more important for consumers that manually make offline copies of the CRL/ implementations that must use a CRL and not OCSP.
    – Greg Askew
    Oct 16 at 12:46

1 Answer 1

Reset to default
2

It's controlled, like many things in ADCS, by the configuration settings in the registry.

Conveniently, Microsoft allow us to set those using the certutil.exe tool, rather than editing the registry directly.

For example:

certutil -setreg ca\ValidityPeriod "Weeks" 
certutil -setreg ca\ValidityPeriodUnits "1"

will set the CRLs to be valid for one week. You must restart the CA service for any changes to take effect.

You can read the current settings with:

certutil -getreg ca\ValidityPeriod
certutil -getreg ca\ValidityPeriodUnits

In my lab, where the CA is called W2K19-Issuing-CA1, I get:

PS C:\PKIScripts> certutil.exe -getreg ca\ValidityPeriod
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\W2K19-Issuing-CA1\ValidityPeriod:

  ValidityPeriod REG_SZ = Years
CertUtil: -getreg command completed successfully.
PS C:\PKIScripts> certutil.exe -getreg ca\ValidityPeriodUnits
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\W2K19-Issuing-CA1\ValidityPeriodUnits:

  ValidityPeriodUnits REG_DWORD = 2
CertUtil: -getreg command completed successfully.

which means its issuing CRLs valid for two weeks.

You can also alter the publishing interval this way (instead of the GUI) by altering ca\CRLOverlapPeriod and ca\CRLOverlapUnits.

Improve this answer
2
  • I run the commands on my lab and that didn't change unfortunately the validity period. I other words : I have a CA that has CRLs valid fro 2 days and another CA that has 4 days validity even the both are set to have 2 days as CRL publication interval
    – kambm
    Oct 16 at 18:26
  • You need to restart the CA service for this to work. I've added this to my answer.
    – garethTheRed
    Oct 16 at 19:24

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .