Lightweight Directory Access Protocol (LDAP) addresses or by file and folder location . Note that any changes to a certificate server's CRL distribution points do not apply retroactively. This information is included in the certificate at the time of issue . If you change the CRL distribution point, clients checking previously issued certificates will be unable to locate the new distribution point. If it becomes necessary to change a distribution point, develop a transition strategy that either keeps the old distribution point available over the lifetime of already issued certificates or renews all existing certificates with the updated CRL distribution point information .
CRLs are a single file that, over time, can become very large . This size is important because each time a client performs a check, it has to download the full CRL if it does not already have a copy in its cache. If you frequently update your CRL, clients must always download the entire CRL because it will not already be present in their cache . As a way of dealing with this problem, it is possible for you to publish a smaller CRL, known as a delta CRL. The delta CRL includes information only about certificates revoked since the publication of the CRL. The client downloads the delta CRL and appends it to the CRL in its cache. Because delta CRLs are smaller, you can publish them more often with less of an impact on the certificate server than would occur if you published the full CRL by using a similar schedule .
To configure the CRL and delta CRL publication interval, open the Certificate Authority console, right-click the Revoked Certificates node, and then select Properties . This displays the Revoked Certificate Properties dialog box shown in Figure 7-15 . The default CRL publication interval is one week, and the default delta CRL publication interval is one day. Use the certutil -CRL command to force the publication of a new CRL or delta CRL.
Overlap periods describe the amount of time after the end of a published CRL's lifetime that the CRL is still considered valid. Consider increasing the overlap period if you are using multiple CRL distribution points (CDPs) and replication of CRL data does not occur immediately, such as if you use a distributed file system (DFS) share as a CDP and it takes a significant amount of time for replication to complete. You can configure overlap periods for both CRLs and delta CRLs by using the certutil -setreg ca\CRLOverlapUnits command.
Was this article helpful?