Hello All
Can someone please help me with the following question.
background: I have a 2012 R2 enterprise issuing CA
I have decided not to use Delta CRLs as the number of certs is small and the number of revocations very small. However I still want to publish a daily CRL.
That said I also want to have several days to recover the CA incase of issues. Therefore although I want to publish a base CRL daily I want it to be valid for several days (incase the CA is not available to publish a new base CRL the next day for example).
So I have set the following
CRLPeriod "Days"
CRLPeriodUnits 1
CRLOverlapPeriod "Days"
CRLOverlapPeriodUnits 7
I have checked the above settings with Certutil -getreg CA\CRL* and all looks OK, I have also stopped and restarted certsvc service.
when I publish a CRL the dates are as follows
Effective Date: 23 June
Next Update: 25 June
Next CRL Publish: 24 June
So basically the Effective and Publish dates are OK, however I was expecting the Next Update to be 30 June e.g. 7 days from CRL creation due to the overlap period.
Is what I am trying to do not possible and therefore it is reverting to some default behavior or am I doing something wrong?
any advise most welcome
Thanks
Ernie