Microsoft KB Archive/313281

= HOW TO: Publish a Certificate Revocation List in Windows 2000 =

PSS ID Number: 313281

Article Last Modified on 10/3/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server

-



This article was previously published under Q313281



IN THIS TASK

 * SUMMARY
 * ** Publish a Certificate Revocation List (CRL)



SUMMARY
This step-by-step article describes how to publish a CRL. If a certificate is no longer trustworthy (for example, because of a change in the status of the certificate holder, departure of the certificate holder from the company, or compromise of the holder's private key), it can be revoked prior to its expiration date.

Revoking a certificate is a simple administrative task. To do so, an administrator right-clicks the certificate in the Certification Authority (CA) MMC, points to All Tasks, and then clicks Revoke Certificate. The certificate is then moved from the Issued Certificates folder to the Revoked Certificates folder.

However, there must be a way to inform those entities that need to verify the validity of certificates (users, computers, and programs) that the certificate has been revoked and is no longer valid. The means for doing so is to publish a CRL to distribute information regarding certificates that have been revoked (those that are in the Revoked Certificates folder).

You can use Windows 2000 CAs to publish the CRL to the Active Directory. The clients can download the CRL from the CA; it is kept in the client's local cache and referred to when the client attempts to verify the validity of a certificate that was issued by the CA.

CAs automatically publish a CRL at an interval that is set by the administrator (the default publication interval is one week, but you can change this by modifying the properties of the Revoked Certificates folder in the CA MMC). You can also manually publish a CRL. You would do this if you revoke certificates between publication periods and need to get the revocation updates to the clients immediately.

back to the top

Publish a Certificate Revocation List (CRL)
You can manually publish a CRL at any time. To do so:
 * 1) Log on to the CA as administrator.
 * 2) Click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
 * 3) In the left console pane of the MMC, expand the top node.
 * 4) Right-click the Revoked Certificates folder, point to All Tasks, and then click Publish.
 * 5) If the last published CRL is still valid, you receive a notice that it can still be used by clients, and you are asked if you are sure you want to publish a new CRL. Click Yes.

The new CRL is published immediately in the CA server in the \system32\CertSrv\CertEnroll folder. It is also published to the Active Directory, if available. You can view the current CRL from the Revoked Certificates folder's properties (right-click the folder, click Properties, and then click View Current CRL).

Note that when you manually publish a CRL, this does not affect the regular scheduled publication schedule. It also does not replace cached copies of the previous CRL that clients have stored locally. The cached CRL will still be valid until it expires (by default, a CRL's validity period extends 10 percent past the publication period). It is very important to keep this in mind when you manually publish CRLs. Clients can manually download a new CRL by connecting to the CA's Web page (http://server name/certsrv) with Internet Explorer.

For additional information about the CRL and related topics, click the article numbers below to view the articles in the Microsoft Knowledge Base:

232161 Changing the Locations of Your Certificate Revocation List (CRL) in Certificate Services 2.0

232165 Enabling Certificate Revocation Checking in Internet Information Server 4.0

271386 How to Install a Windows 2000 Certificate Services Offline Root Certificate Authority

291010 Requirements for Domain Controller Certificates from a Third-Party CA

280815 Certification Authority Does Not Publish Certificate Revocation List to Active Directory

289749 Certificate Revocation Lists (CRL) and IIS 5.0: Common Questions

back to the top

Keywords: kbhowto kbHOWTOmaster KB313281

Technology: kbwin2000Search kbwin2000Serv kbwin2000ServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.