The certificate revocation is allows you to control certificates. The certificates may become invalid at times because either they expire or they are compromised. Certificate was revoked due to a compromise. The certificate server maintains a list of revoked certificates and publishes at specified intervals in a CRL (Certificate Revocation List). This list ensures that the certificate presented is valid and in the certificate chain. A certificate manager can revoke a certificate through the CA console.
The high level steps to create a revocation configuration of CA include the specification of CRL distribution points, Configuration of Delta CRL overlap periods, and schedule the publication of CRLs.
To specify the CRL Distribution points, you need to:
- Click Start->Settings->Administrative Tools->Certificate Authority
- Right-click the Root CA and select Properties from the menu that appears. The properties window of the Root CA appears.
- Click Extensions tab and verify that Select Extensions dropdown list contains a set of CRL distribution points, as shown in Figure 7-17.
- Ensure that the options Publish CRLs to this location and Publish Delta CRLs to this location are enabled.
- Click OK.If you have made any change then you will have to stop and restart the AD CS service.
Figure 7-17 Now you should configure the CRL and Delta CRL overlap periods. To configure them you need to use the certutil command.
- Type the following commands on the issuing CA at the elevated command prompt:
- certutil -setreg CA\CRLOverlapPeriod <value in minutes, hours or days>
- certutil -setreg CA\CRLPeriodUnits <value in number>
- certutil -setreg CA\CRLDeltaOverlapPeriod <value in minutes, hours or days>
- certutil -setreg CA\CRLDeltaPeriodUnits <value in number>
Example:
- certutil -setreg CA\CRLOverlapPeriod «Hours»
- certutil -setreg CA\CRLOverlapUnits 24
- certutil -setreg CA\CRLDeltaOverlapPeriod «Months»
- certutil -setreg CA\CRLDeltaOverlapUnits 12
- Stop and then restart the certification service by typing the commands:
- net stop certsvc
- net start certsvc
You should now configure the publication of the CRLs. To configure the publication of CRLs, you need to go to the Certification Authority console again.
- Click Start->Settings->Administrative Tools->Certificate Authority
- Expand the Root CA, right-click the Revoked Certificates node and then select Properties from the menu that appears. The Revoked Certificates Properties window appears, as shown in Figure.
- Configure the CRL publication interval and Publish Data CRLs interval as desired or accept the default values. Before configuring the interval, you should know that to ensure the high availability of the CRLs, you need to decrease the values because the decreases interval will ensure high throughput and availability of certificates, as shown in Figure 7-18:
Figure 7-18 - Click OK. The revocation configuration is complete.
If you are using classic CRL, then you may have to face a number of problems related to the growing number of CRLs. This is because as the number of certificates grows, the number of revoked certificates will also increase. As a result, the CRL file will just grow large and the clients will have to spend a long time to download the CRL files.
To resolve such problem, you can set up additional CA’s but this will not actually solve the problem. To solve this problem you should consider the implementation of an OCSP (Online Certificate Status Protocol), which can be done through Online Responder service.