outdated certificates in CRL on Windows 2008-CA
I just have migrated a Win2k-CA to a Windows 2008 server and now have the problem that my CRL has grown from 3kb to 150kb. When I have a closer look on the revoked certifiicates in the crl I see lots of certificates that are expired but still in the crl. I already set the crlFlag -CRLF_PUBLISH_EXPIRED_CERT_CRLS, but after 10 to 12 new crl's generated the old certificates are still in the list. Any ideas or help on this? Thanks Wolfgang
May 30th, 2012 1:50am

The expired+revoked certificates should not appear in the CRL unless they are explicitly marked to be published regardless expiration. To check if the certificate is explicitly flagged to be published in CRL after expire, add the column "Publish Expired Certificate in CRL" in the Certification Authority Management MMC. /Hasain
Free Windows Admin Tool Kit Click here and download it now
May 30th, 2012 9:26am

I could only reduce the crl-size by removing all expired certificates completely from the certificates-db with certutil -deleteRow Wolfgang
May 31st, 2012 1:33am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics