Windows 2008 CRLOverlapPeriod / CRLOverlapUnits
Hi,
I am pottering through the "Windows Server 2008 PKI & Certificate Security" book by Brian Komar setting up my first PKI deployment. In some of the example configuration scripts in the book the CA is setup as follows:
CRLOverlapPeriod = Weeks
CRLOverlapUnits = 2
This seems to make sense and provides a broad window in case of issues when publishing CRLs in the upper tiers of a CA hierarchy however as per this article:
http://technet.microsoft.com/en-us/library/cc731104.aspx
"The maximum value for either the CRL or delta CRL overlap period is
12 hours."
I can do some testing to establish if this is correct but can someone confirm this more quickly than it takes me to change my test environment?
May 3rd, 2011 1:39pm
Yes, this is true for Delta CRLs. For more details please check this article:
http://blogs.technet.com/b/pki/archive/2008/06/05/how-effectivedate-thisupdate-nextupdate-and-nextcrlpublish-are-calculated.aspx
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Free Windows Admin Tool Kit Click here and download it now
May 3rd, 2011 3:32pm
Hi Vadims,
Thanks for the swift, accurate response and link to the great article!
May 3rd, 2011 4:10pm