Confusion..... Is it required to have CRL Overlap periods set; for the base and/or delta CRLs?I think I read that the default value is 10% of the CRL period. I have a customer's PKI that has the following set. Is this not best practice? Should we implement overlaps? We are also considering changing the max-age setting on IIS to refresh client caches more frequently. Root CA:CRLPeriodUnits 1CRLPeriod "Years"CRLDeltaPeriodUnits 0CRLDeltaPeriod "Days" Issuing/Policy CA:CRLPeriodUnits 1CRLPeriod "Weeks"CRLDeltaPeriodUnits 1CRLDeltaPeriod "Days"

> Is it required to have CRL Overlap periods set; for the base and/or delta CRLs? This really depends on your network configuration. Overlap settings are used to resolve AD/DFS replication latency. If your CRLs are published to AD there may be a replication latency while CDP container or DFS share will be replicated to all endpoints. The value of latency may vary up to several hours. > I think I read that the default value is 10% of the CRL period No, it isn't correct. For additional information please check the following link: http://blogs.technet.com/pki/archive/2008/06/05/how-effectivedate-thisupdate-nextupdate-and-nextcrlpublish-are-calculated.aspx You can implement Base CRL overlap for Root CA with 2 weeks value. This means that when CA issue new CRL, you will have 2 weeks to distribute new CRL to all CRL distribution points. For online CAs you can set overlap to 1 day for Base CRL.http://www.sysadmins.lv

Thanks Vadims. I actually checked the registry and the Root CA did have 2 Weeks defined. I have changed the issuing to overlap 1 day for the Base CRL.

Please note, that these are example values. You can set any other overlap setting (as you like).http://www.sysadmins.lv