Windows PKI blog

News and information for public key infrastructure (PKI) and Active Directory Certificate Services (AD CS) professionals

Viewing Expired Certificate Revocation List (CRL)

Viewing Expired Certificate Revocation List (CRL)

  • Comments 2
  • Likes

Many customers must perform a regulatory audit annually to comply with industry standards and business trends. Recently I was contacted by one of my customers, who was not able to view all of Certificate Revocation Lists (CRLs) issued by their Enterprise Certification Authority. The customer mentioned they were able to view these CRLs on a Windows Server 2003 Certification Authorities but cannot view them on Windows Server 2008 R2 Enterprise Certification Authorities.

 

Windows Server 2008 and Windows Server 2012 Certification Authorities by default delete expired CRLs when a new one is issued. This option can be reversed to preserve expired CRLs, but has to be implemented before your audit. To preserve expired CRLs run the following commands:

certutil –setreg CA\CRLFlags -CRLF_DELETE_EXPIRED_CRLS

net stop certsvc

net start certsvc

 

Furthermore, you can view CRLs by running this command:

 certutil -view -out "CRLThisPublish,CRLNumber,CRLCount" CRL


The Certification Authority Console by default will not display Certificate Revocation List (CRL)history as noted in the screenshot below.

 

 

You can change this behavior by running certsvc.msc /e from

 Amer F Kamal

Senior Premier Field Engineer

 

 

Comments
  • Actually the name of the MMC is certsrv.msc.

    Great post anyway.

    Thank you Amer!

  • Yes, the actual command is: certsrv.msc /e

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment