Hello,Currently in my environment, I have our CRL files SFTPed out to an external DMZ HTTP location.The times are currently set to generate a CRL every week and a delta every day. The user certs in the invironment have both the path for the CRL and for the delta in them.Our VPN application has been set to check the CRL (it looks to the external HTTP for the CRL as well) every 60 minutes. The VPN cannot look at delta files only CRL files.Nightly, I run a batch file that runs a certutil -CRL and -Delta and then SFTPs the 2 files out to the external HTTP location. This runs around 10:45PM.What I'm afraid of, is once the CRL checking on the VPN device is turned on, and that it checks every 60 minutes for revoked clients, is it possible my times are set incorrectly. Once I generate the new CRL files nightly from the batch files, it will overwrite the current CRLs that sit out externally, that the VPN device has looked at every 60 minutes. I guess Im trying to avoid a mass deny due to an expired/invalid CRL file.Sorry if this reads like a bad math question!

HiYour publishing times seem ok and standard but why set the VPN to check for CRL every 60 minutes? The CRL is good for a hole week.Revocing certs with CRLs is a blunt tool. If you need instant revocation then use OCSP or disable the computer account.How's the VPN app setup? If it can't access the URL will it use the cached CRL and move on or is URL access every hour mandatory?If mandatory then your http url needs to be up 24/7.For CRL latency check CRLOverlap and ClockSkewMinutes.