Hello All

Can someone please help me with the following question.

background: I have a 2012 R2 enterprise issuing CA

I have decided not to use Delta CRLs as the number of certs is small and the number of revocations very small. However I still want to publish a daily CRL.

That said I also want to have several days to recover the CA incase of issues.  Therefore although I want to publish a base CRL daily I want it to be valid for several days (incase the CA is not available to publish a new base CRL the next day for example).

So I have set the following

CRLPeriod   "Days"
CRLPeriodUnits   1

CRLOverlapPeriod "Days"
CRLOverlapPeriodUnits  7

I have checked the above settings with Certutil -getreg CA\CRL*  and all looks OK, I have also stopped and restarted certsvc service.

when I publish a CRL the dates are as follows

Effective Date:  23 June
Next Update:  25 June
Next CRL Publish:  24 June

So basically the Effective and Publish dates are OK, however I was expecting the Next Update to be 30 June e.g. 7 days from CRL creation due to the overlap period.

Is what I am trying to do not possible and therefore it is reverting to some default behavior or am I doing something wrong?

any advise most welcome

Thanks

Ernie

it is not possible. You can check (and print if necessary) this article I wrote some time ago: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=107

according to this formula:

> InterimBaseCRLOverlap = MinimumOf(InterimBaseCRLOverlap, CRLPeriod)

CRL overlap cannot exceed CRL validity. It is by design.

Thanks very much again Vadims :)

Ernie