Hi, I am pottering through the "Windows Server 2008 PKI & Certificate Security" book by Brian Komar setting up my first PKI deployment. In some of the example configuration scripts in the book the CA is setup as follows: CRLOverlapPeriod = Weeks CRLOverlapUnits = 2 This seems to make sense and provides a broad window in case of issues when publishing CRLs in the upper tiers of a CA hierarchy however as per this article: http://technet.microsoft.com/en-us/library/cc731104.aspx "The maximum value for either the CRL or delta CRL overlap period is 12 hours." I can do some testing to establish if this is correct but can someone confirm this more quickly than it takes me to change my test environment?

Yes, this is true for Delta CRLs. For more details please check this article: http://blogs.technet.com/b/pki/archive/2008/06/05/how-effectivedate-thisupdate-nextupdate-and-nextcrlpublish-are-calculated.aspx My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Hi Vadims, Thanks for the swift, accurate response and link to the great article!