Schedule Publication of Certificate Revocation Lists
Applies To: Windows Server 2008
You must establish a regular publication schedule for certificate revocation data so that a highly accurate certificate revocation list (CRL) is always available to clients. When establishing this schedule, the need for accurate, up-to-date data must be balanced against the impact that frequent downloads of new CRLs can have on clients.
You must be a certification authority (CA) administrator to complete this procedure. For more information, see Implement Role-Based Administration.
To schedule the publication of the CRL
Open the Certification Authority snap-in.
In the console tree, click Revoked Certificates.
On the Action menu, click Properties.
In CRL publication interval, type the increment and click the unit of time to use for the automatic publishing of the CRL.
At the defined interval, a new CRL will be published by default in the following folder: systemroot\system32\CertSrv\CertEnroll\. If the computer is a domain member and has permission to write to Active Directory Domain Services (AD DS), then the CRL is also published to AD DS.
The publishing period for a CRL is not the same as the validity period for a CRL. By default, the validity period of a CRL exceeds the publishing period of a CRL by 10 percent (up to a 12-hour maximum) to allow for directory replication.
Scheduling publication of delta CRLs
You can extend your CRL publication schedule by also establishing a schedule for the publication of delta CRLs.
You must be a CA administrator to complete this procedure. For more information, see Implement Role-Based Administration.
To schedule the publication of the delta CRL
Open the Certification Authority snap-in.
In the console tree, click Revoked Certificates.
On the Action menu, click Properties.
Select the Publish Delta CRLs check box.
In Publication interval, type the increment and click the unit of time to use for the automatic publishing of the delta CRL.