Hi all again, It seems that I have taken of ADCS now lol!! Anyway, does anyone know the best practice for CRL publication interval and Publish delta settings? Currently the CRL publication interval is set to 90 days on my server, is this correct? also what does it mean? (Does it mean that the client will have a list of certs to revoke and it will not need a new one until the 90 days are over? and I assume a new list will be pushed out on the 90th day? and if this list isnt pushed out the certs will stop working, correct?) The publish delta crl is set to 1 day, sound right? I assume this is just updates to the list? So, if I had a cert which will expire in a year from now but I wanted to revoke it. Would the client not get the new command till when the new delta crl is due? unless I forced a new one out? Sorry If I am completely on the wrong track but I have never been involved in certs before and I am having to learn this from scratch. Thanks for the replies in advanced. Mac

Hi Mac, you can take a look at this document for CRL checking (and other important mechanisms about certificates): http://social.technet.microsoft.com/wiki/contents/articles/4954.certificate-status-and-revocation-checking.aspx Keep in mind that CRL and delta CRLs are considered valid by the client until the end of their validity period, and then a new CRL/delta CRL is downloaded. That mens that a revoked certificate might be considered valid for as long as a new CRL/delta CRL is available. Personally, I prefer shorter periods than 90 days for CRL, but that's up to your environment, risk management practice, available bandwidth for frequent downloads, expected numbers of revoked certificates and so on. Also, you can define overlap periods for CRL and delta CRL publication, so that new CRL are published and retrieved before their expiration, and you can avoid the risk of clients not accepting certificates because of a problem in publishing CRLs. Regards

Hi Mac, you can take a look at this document for CRL checking (and other important mechanisms about certificates): http://social.technet.microsoft.com/wiki/contents/articles/4954.certificate-status-and-revocation-checking.aspx Keep in mind that CRL and delta CRLs are considered valid by the client until the end of their validity period, and then a new CRL/delta CRL is downloaded. That mens that a revoked certificate might be considered valid for as long as a new CRL/delta CRL is available. Personally, I prefer shorter periods than 90 days for CRL, but that's up to your environment, risk management practice, available bandwidth for frequent downloads, expected numbers of revoked certificates and so on. Also, you can define overlap periods for CRL and delta CRL publication, so that new CRL are published and retrieved before their expiration, and you can avoid the risk of clients not accepting certificates because of a problem in publishing CRLs. Regards

Thank you for the reply and the link on this topic. So my understanding on this is, If I revoke a cert but the current CRL list on the machine doesnt expire for another 30days the cert will stay active? what happens if I force a new CRL out to the clients will disable the cert? Thanks again

Thank you for the reply and the link on this topic. So my understanding on this is, If I revoke a cert but the current CRL list on the machine doesnt expire for another 30days the cert will stay active? what happens if I force a new CRL out to the clients will disable the cert? Thanks again

No, that will not work. The clients will have the cached CRL. Even if you try and delete it from the cache, it may or may not work (depending on the operating system, open handles to the CRL, etc.) If you want a revocation to be recognized by the next day, then you must publish a base CRL or a delta CRL every day. For an offline CA, I have seen CRL publications (base CRL only) from as low as every 30 days (required by policy) to as much as every year For online CAs, I have seen many combinations. Base =7 days, and Delta = 1 day Base = 1 day, Delta = 12 hours Base = 1 day, Delta = 8 hours Note in all cases for the issuing CAs, one CRL is published every day. Brian

No, that will not work. The clients will have the cached CRL. Even if you try and delete it from the cache, it may or may not work (depending on the operating system, open handles to the CRL, etc.) If you want a revocation to be recognized by the next day, then you must publish a base CRL or a delta CRL every day. For an offline CA, I have seen CRL publications (base CRL only) from as low as every 30 days (required by policy) to as much as every year For online CAs, I have seen many combinations. Base =7 days, and Delta = 1 day Base = 1 day, Delta = 12 hours Base = 1 day, Delta = 8 hours Note in all cases for the issuing CAs, one CRL is published every day. Brian