This articl
What makes large CRL?
There is really one item that makes the CRL grow: revoked certificates. However, expired certificates are removed from the CRL, unless they are specified to be retained in the CRL. By default there are two types of Enhanced Key Usage (EKU) certificates that
are retained. They have the following object identifiers (OIDs) and purposes:
- 1.3.6.1.5.5.7.3.3 Code Signing
- 1.3.6.1.4.1.311.61.1.1 Kernel Mode Code Signing
There is also the
All Purposes certificate purpose (EKU), that would include those two OIDs and certificates issued with that EKU will be retailed in the CRL.
Further, you can configure a certification authority to retain expired certificates in the CRL. If you run the following command:
certutil –setreg ca\CRLFlags +CRLF_PUBLISH_EXPIRED_CERT_CRLS
To change that, you can run the following command:
certutil –setreg ca\CRLFlags - CRLF_PUBLISH_EXPIRED_CERT_CRLS
By default, certificates that are revoked and not yet expired as well as certificates that have the EKUOIDsForPublishExpiredCertInCRL = 1 in them, will remain in the CRL. When you are configuring certificate templates or making certificate requests, you should
ensure that you configure them to expire in an appropriate amount of time. For example, you would not want to make a user certificate valid for three years, if you have turn-over every three months and you plan to revoke the certificate when people leave or
no longer need the certificate. There are two options here. If it is an internal employee, you could simply disable the user account and not worry about revoking the certificate. The other option is to simply give shorter lifespans to the certificates. This
will cause more frequent renewals for long term members of the organization, but it will cut down on the CRL size for users that are short term employees. Furthermore, you can automate certificate renewal within an Active Directory Domain Services (AD DS)
forest (
Configure Certificate Autoenrollment) and even beyond forest boundaries starting in Windows Server 2012 and Windows 8 (
Test
Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services).
↑
Return to Contents
Additional References
↑
Return to Contents