Share via

Manually publish the certificate revocation list

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To manually publish the certificate revocation list

  • Using the Windows interface

  • Using a command line

Using the Windows interface

  1. Log on to the system as a Certification Authority Administrator.

  2. Open Certification Authority.

  3. In the console tree, click Revoked Certificates.

    Where?

    • Certification Authority (Computer)/CA name/Revoked Certificates

  4. On the Action menu, point to All Tasks, and click Publish.

  5. Select New CRL to overwrite the previously-published certificate revocation list (CRL), or select Delta CRL only to publish a current delta CRL.

Notes

  • To open Certification Authority, click Start, click Control Panel, double-click Administrative Tools, and then double-click Certification Authority.

  • Clients that have a cached copy of the previously-published CRL or delta CRL will continue using it until its validity period has expired, even though a new CRL has been published. Manually publishing a CRL does not affect cached copies of CRLs that are still valid; it only makes a new CRL available for systems that do not have a valid CRL.

  • See Related Topics for the procedure clients can use to get the most recent CRL published by the certification authority (CA) even if they still have a valid CRL cached.

  • By default, on the server on which the CA is installed, the CRL and delta CRL are published in:

    Systemroot\system32\CertSrv\CertEnroll\

  • If the Active Directory directory service is available, they are also published to Active Directory.

Using a command line

  1. Open Command Prompt.

  2. Type:

    certutil -crl

Value Description

crl

Specifies that a full certificate revocation list will be published.

Notes

  • To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command prompt.

  • To view the complete syntax for this command, at a command prompt, type:

    certutil -crl -?

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Configure CRL and delta CRL overlap period
Working with MMC console files
Revoking certificates and publishing CRLs
Certificate revocation
Revoke an issued certificate
Specify certificate revocation list distribution points in issued certificates
Schedule the publication of the certificate revocation list
View the certificate revocation list
Retrieve a certificate revocation list