Viewing Expired Certificate Revocation List (CRL)

First published on TECHNET on Dec 20, 2012

Many customers must perform a regulatory audit annually to comply with industry standards and business trends. Recently I was contacted by one of my customers, who was not able to view all of Revocation Lists (CRLs) issued by their Enterprise Certification Authority. The customer mentioned they were able to view these CRLs on a 2003 Certification Authorities but cannot view them on 2008 R2 Enterprise Certification Authorities.

2008 and Windows Server 2012 Certification Authorities by default delete expired CRLs when a new one is issued. This option can be reversed to preserve expired CRLs, but has to be implemented before your audit. To preserve expired CRLs run the following commands:

certutil –setreg CACRLFlags -CRLF_DELETE_EXPIRED_CRLS

net stop certsvc

net start certsvc

Furthermore, you can view CRLs by running this command:

certutil -view -out “CRLThisPublish,CRLNumber,CRLCount” CRL


The Certification Authority Console by default will not display Revocation List (CRL)history as noted in the screenshot below.

You can change this behavior by running certsvc.msc /e from

Amer F Kamal

Senior Premier Field Engineer

 

This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.