I just have migrated a Win2k-CA to a Windows 2008 server and now have the problem that my CRL has grown from 3kb to 150kb. When I have a closer look on the revoked certifiicates in the crl I see lots of certificates that are expired but still in the crl. I already set the crlFlag -CRLF_PUBLISH_EXPIRED_CERT_CRLS, but after 10 to 12 new crl's generated the old certificates are still in the list. Any ideas or help on this? Thanks Wolfgang

I could only reduce the crl-size by removing all expired certificates completely from the certificates-db with certutil -deleteRow Wolfgang