Share via

How ThisUpdate, NextUpdate and NextCRLPublish are Calculated

  • Article

Disclaimer: this article is a rewritten, updated and clarified version of the article posted by John Morello: How EffectiveDate (thisupdate), NextUpdate and NextCRLPublish are calculated.

The most recent version of this article is located at the author's web site: How ThisUpdate, NextUpdate and NextCRLPublish are calculated (v2)

This article describes how CA server calculates estimated CRL validity. By default, CRL validity is configured in a safe manner, so everything works without administrator interaction. However, if you are an experienced PKI administrator and plan custom CRL validity, it is important to understand how validity is calculated.

First, we need to determine CRL fields that identify CRL validity and the next update date:

https://www.sysadmins.lv/content/images/pages/1141/image_9ed77ab9-e76d-45d3-a654-1c552f55421c_264D2FE4.png

  • Effective Date (This Update) – a mandatory field that indicates the start of CRL validity.
  • Next Update – a mandatory field that indicates when CRL expires and becomes invalid for revocation checking.
  • Next CRL Publish – an optional extension that indicates the date and time when a CA issues a new CRL.

The diagram below displays relations between these fields:

 

https://www.sysadmins.lv/content/images/pages/1141/crl_lifetime_e55b3adc-0022-46b3-bcf9-b7eb95a9b2ca_264D2FE4.png

In order to calculate values for these fields, CA server (we are talking about MS CA) has the following configuration settings. CA server uses them to calculate each time field in CRL.

  • CRLPeriod – Base CRL validity period;
  • CRLOverlapPeriod – Base CRL overlap period;
  • CRLDeltaPeriod – Delta CRL period;
  • CRLDeltaOverlapPeriod – Delta CRL overlap period;
  • ClockSkewMinutes – an extra time frame intended to mitigate possible time synchronization issues. “The case about actual certificate signing time” article covers details of this setting.

Each of the first four settings consists of two registry entries:

  • *PeriodUnits – specifies the scalar validity value;
  • *Period – specifies the measurement (units) for the value specified in the *PeriodUnits.

Note: Registry entry names are confusing, because PeriodUnits specifies scalar values, while units are identified by Period value. However, everything is correct here. Microsoft noticed this mistake when they released the beta version of Windows 2000 but decided not to make a possible breaking change to maintain compatibility with scripts written for the beta version.

Notation

This article uses the following formula components:

Field = MaximumOf(value1, value2,...,valuen) – means that filed value is the largest value of all values listed in parentheses. Values are separated by comma.

Field = MinimumOf(value1, value2,...,valuen) – means that filed value is the smallest value of all values listed in parentheses. Values are separated by comma.

This Update

This Update field identifies the date and time when CRL becomes valid. CRL expires when this value is greater than the current time. Normally the value is calculated by using the following formula:

ThisUpdate = MaximumOf(CurrentTime – ClockSkewMinutes, CANotBefore)

In other words, usually, the ThisUpdate field value is CurrentTime minus ClockSkewMinutes (10 minutes by default). However, there is an exception when CA certificate is renewed. In this case, CurrentTime minus ClockSkewMinutes may occur prior to CA certificate validity. In this case, ThisUpdate field value equals a NotBefore value of the CA certificate.

Next CRL Publish

Next CRL Publish extension identifies the time when next CRL is issued. This extension value is calculated as follows for Base and Delta CRLs:

NextCRLPublish (Base CRL) = MinimumOf(CurrentTime + CRLPeriod, CANotAfter)

NextCRLPublish (Delta CRL) = MinumumOf(CurrentTime + CRLDeltaPeriod, CANotAfter)

If CRLDeltaPeriod is equal to zero, Delta CRL is not published. CRL cannot be valid after CA certificate expiration.

Next Update

Next Update identifies the point in time when CRL expires. This field value is calculated as follows for Base and Delta CRLs:

NextUpdate (Base CRL) = MinimumOf(NextCRLPublish + InterimBaseCRLOverlap, CANotAfter)

NextUpdate (Delta CRL) = MinimumOf(NextCRLPublish + InterimDeltaCRLOverlap, CANotAfter)

There are two unknowns: InterimBaseCRLOverlap and InterimDeltaCRLOverlap. Overlap values are used to provide an extra validity for each CRL. It is useful to provide extra validity to mitigate the following cases:

  • Active Directory replication delays;
  • CRL distribution from CA server to revocation server delays;
  • Temporary network connectivity issues;
  • Unexpected server failure.

Generally speaking, CRLs must be distributed from CAs to target locations (revocation servers) in a timeframe between NextCRLPublish and NextUpdate.

InterimBaseCRLOverlap

The InterimBaseCRLOverlap value calculation depends on CRLOverlapPeriod value. If it is non-zero and is valid, then the value is calculated as follows:

InterimBaseCRLOverlap = CRLOverlapPeriod + ClockSkewMinutes

If CRLOverlapPeriod is zero or invalid (for example, it is a negative number or the unit value is invalid), CA performs multistep value evaluation:

  1. InterimBaseCRLOverlap = MinimumOf(0.1 * CRLPeriod, 12 hours)
  2. InterimBaseCRLOverlap = MaximumOf(InterimBaseCRLOverlap, 1.5 * ClockSkewMinutes)
  3. InterimBaseCRLOverlap = MinimumOf(InterimBaseCRLOverlap, CRLPeriod)
  4. InterimBaseCRLOverlap = InterimBaseCRLOverlap + ClockSkewMinutes

Here is an explanation of this process.

  1. CA gets a 1/10 of CRLPeriod and compares it with a 12 hour constant. If it 1/10 of CRLPeriod is larger than 12 hours, InterimBaseCRLOverlap is set to 12 hours. If 1/10 of CRLPeriod is less than 12 hours, a 1/10 of CRLPeriod is assigned to InterimBaseCRLOverlap. This step ensures that InterimBaseCRLOverlap is not larger than 12 hours.
  2. If a value of InterimBaseCRLOverlap (calculated in step 1) is less than 1.5 * ClockSkewMinutes (by default it is 10 minutes, so 1.5 * 10 minutes = 15 minutes), 1.5 * ClockSkew is assigned to InterimBaseCRLOverlap. Otherwise, InterimBaseCRLOverlap is not changed. This step ensures that InterimBaseCRLOverlap is not smaller than 1.5 * ClockSkewMintes and there will be a minimum reasonable overlap value.
  3. InterimBaseCRLOverlap is compared with CRL period and the smallest value is assigned to InterimBaseCRLOverlap. So far calculations ensured that Base CRL overlap is between 1.5 * ClockSkewMinutes (15 minutes) and 12 hours. However, overlap period cannot be greater than CRL validity; therefore, if the calculated value is greater than CRLPeriod (assuming that CRLs are short living) then it is truncated to CRLPeriod. Otherwise, InterimBaseCRLOverlap is not changed in this step.

Final computation, when ClockSkewMinutes are added to the resulting InterimBaseCRLOverlap value. The result of this step is the final overlap value.

For example, CRLPeriod is set to 1 week (168 hours), the resulting value will be 12 hours plus ClockSkewMinutes, or 12 hours and 10 minutes.

If CRLPeriod is 1 day (24 hours), the resulting value will be 2 hours 24 minutes plus ClockSkewMinutes or 2 hours and 34 minutes.

If CRLPeriod is 1 hour, the resulting value will be 34 minutes.

In other words, Base CRL overlap automatic value will never be less than 24 minutes and no greater than CRLPeriod.

InterimDeltaCRLOverlap

The InterimDeltaCRLOverlap value calculation depends on CRLDeltaOverlapPeriod value. If it is non-zero and is valid, then the value is calculated as follows:

InterimDeltaCRLOverlap = CRLDeltaOverlapPeriod + ClockSkewMinutes

If CRLDeltaOverlapPeriod is zero or invalid (for example, it is a negative number or the unit value is invalid), CA performs multistep value evaluation:

  1. InterimDeltaCRLOverlap = MinimumOf(CRLDeltaPeriod, 12 hours)
  2. InterimDeltaCRLOverlap = MaximumOf(InterimDeltaCRLOverlap, 1.5 * ClockSkewMinutes)
  3. InterimDeltaCRLOverlap = MinimumOf(InterimDeltaCRLOverlap, CRLDeltaPeriod)
  4. InterimDeltaCRLOverlap = InterimDeltaCRLOverlap + ClockSkewMinutes

Here is an explanation of this process.

  1. First, CA gets a CRLDeltaPeriod and compares it with a 12 hour constant. If it CRLDeltaPeriod is larger than 12 hours, InterimDeltaCRLOverlap is set to 12 hours. If CRLDeltaPeriod is less than 12 hours, CRLDeltaPeriod is assigned to InterimDeltaCRLOverlap. This step ensures that InterimDeltaCRLOverlap is not larger than 12 hours.
  2. If a value of InterimDeltaCRLOverlap (calculated in step 1) is less than 1.5 * ClockSkewMinutes (by default it is 10 minutes, so 1.5 * 10 minutes = 15 minutes), 1.5 * ClockSkew is assigned to InterimDeltaCRLOverlap. Otherwise, InterimDeltaCRLOverlap is not changed. This step ensures that InterimDeltaCRLOverlap is not less than 1.5 * ClockSkewMintes and there will be a minimum reasonable overlap value.
  3. InterimDeltaCRLOverlap is compared with CRL period and the smallest value is assigned to InterimDeltaCRLOverlap. So far calculations ensured that Base CRL overlap is between 1.5 * ClockSkewMinutes (15 minutes) and 12 hours. However, overlap period (once again) cannot be greater than CRL validity, therefore if the calculated value is greater than CRLDeltaPeriod (assuming that CRLs are short-living) then it is truncated to CRLDeltaPeriod. Otherwise, InterimDeltaCRLOverlap is not changed in this step.

Final computation, when ClockSkewMinutes are added to the resulted InterimDeltaCRLOverlap value. The result of this step is final overlap value.