By default, AD CS will automatically remove expired certificates from the CRLs it publishes. Once a certificate expires, whether it was revoked in the past or not is generally not relevant, since the certificate is not time valid anymore it should be rejected. This default behaviour can be modified via one of the CRL flags in the CA configuration, called CRLF_PUBLISH_EXPIRED_CERT_CRLS . By default the flag is not set, meaning expired revoked certificates will be removed from the CRL, but it can be set running: certutil -setreg CA\CRLFlags + CRLF_PUBLISH_EXPIRED_CERT_CRLS Once set, expired revoked certificates will remain in the subsequent CRLs even after expiring. To unset the flag simply run: certutil -setreg CA\CRLFlags - CRLF_PUBLISH_EXPIRED_CERT_CRLS There are some cases, though, where it is required to keep certain revoked certificates in the CRL even after those have expired. Classic example for this is code signing certificates: when code is signed using a code signin...
Comments
Post a Comment