PKI - Signing a CRL with an new validity period.
I would like to schedule a task to sign the current CRL with a longer validity period. This CRL would only be published if the CA was down and more time was needed to fix the problem than what the current CRL is valid. We use an HSM, so the signing has to take place on the CA. I have tried using the Certutil -sign <CRL> <NewCRL> <time> command, but that opens a window where the certificate needs to be selected for signing. So, that prevents automating the signing. I don't see a way to pass the certificate information. I was wondering if anyone else had found a way to do this, maybe in C# or PowerShell.
April 19th, 2010 11:45pm

Certutil -sign will definitely bring up that dialog box, as it must select the proper certificate for the CRL signing operation I am not sure about programmitic attempts Brian
Free Windows Admin Tool Kit Click here and download it now
April 20th, 2010 2:00am

Best I've been able to figure out to automate this is to use a macro like AutoHotKey to make an .exe you can run. May work best if you run under a secondary account than the one you would expect to be actively working on if you have a tighter manual republishing time period (like once an hour) and have that account signed in then switch users instead of logging off so it can still paint the desktop. Can have a notepad file that you can populate from either account that you can keep CRL additions in and have it select all and paste that into the command line ;) Not the most high-security solution, which would be to do it manually and deal with it, but for most companies this should do the trick just fine.
April 20th, 2010 8:40pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics