I had previously asked this question in a differnt thread, but looking for some additional feedback. It's apparent that availability to a time valid CRL is imperitive to operation and use of certificates. Are there any concern or disadvantage to having an automated script / scheduled task that generates and copies the CRL daily although the CRL validity period is say 7 days? certutil -crl timeout /t:5 copy /y %windir%\system32\certsrv\certenroll\*.cr? \\serverx\share Thanks, Paul

There should not be any problems with this setup. You can configure the ADCS service to publish directly to the \\serverx\share UNC path if wanted! /Hasain

there is no need to use scheduled tasks while CA can reach the share folder by using UNC or file:// paths. As said, you can configure CA to publish CRLs to a remote share (DFS). There are 2 points to know: 1) CA server computer account must have at least Change share permissions 2) CA server computer account must have at least Write NTFS permissions Depending on certificate revocation intensity (frequence), you may consider to publish full CRL each 7 days (default value) and publish Delta CRLs more frequently, say, each several hours. You can configure these values in the Revoked Certificates folder properties (in Certification Authority MMC).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

I understand the desired goal of manually publishing the CRL daily and getting a 7 days valid CRL each time. Please consider using CRL overlap if you want to have a similar effect without the need to manually publish the CRL using a scheduled script. CRL overlap can be configured to a maximum of the CRL publishing interval, an example is to have the CRL published each 4 days with additional 4 days overlap. This setup will give you a CRL valid for 8 days each time its is published at the 4 days interval. /Hasain