Freigeben über


Viewing Expired Certificate Revocation List (CRL)

Many customers must perform a regulatory audit annually to comply with industry standards and business trends. Recently I was contacted by one of my customers, who was not able to view all of Certificate Revocation Lists (CRLs) issued by their Enterprise Certification Authority. The customer mentioned they were able to view these CRLs on a Windows Server 2003 Certification Authorities but cannot view them on Windows Server 2008 R2 Enterprise Certification Authorities.

 

Windows Server 2008 and Windows Server 2012 Certification Authorities by default delete expired CRLs when a new one is issued. This option can be reversed to preserve expired CRLs, but has to be implemented before your audit. To preserve expired CRLs run the following commands:

certutil –setreg CA\CRLFlags -CRLF_DELETE_EXPIRED_CRLS

net stop certsvc

net start certsvc

 

Furthermore, you can view CRLs by running this command:

 certutil -view -out "CRLThisPublish,CRLNumber,CRLCount" CRL

The Certification Authority Console by default will not display Certificate Revocation List (CRL)history as noted in the screenshot below.

 

 

You can change this behavior by running certsvc.msc /e from

 Amer F Kamal

Senior Premier Field Engineer

Comments

  • Anonymous
    January 01, 2003
    Yes, the actual command is:certsrv.msc /e
  • Anonymous
    December 20, 2012
    Actually the name of the MMC is certsrv.msc. Great post anyway. Thank you Amer!