PKI

How to disable Delta CRL

Disabling Delta CRL

Read time: 4 minutes

What is a CRL and Delta CRL?

A list of digital certificates that have had their issuing certificate authority (CA) revoke them before their actual or assigned expiration date is known as a certificate revocation list (CRL).

A Delta CRL is a supplemental CRL that is optional and only includes the updates made since the last Base CRL update. The standard CRL we’ve been discussing is called “Base” about a delta CRL if one is present.

Steps to Disable Delta CRL

Delta CRL can be disabled either by running certain commands on an administrative command prompt or by using GUI, which is discussed below:

By Command Prompt:

  • Set Delta CRL Validity to zero by running this command on an administrative command prompt: Certutil -setreg CA\CRLDeltaPeriodUnits 0

    Delta CRL Validity
  • Run net stop certsvc and net start certsvc to restart the ADCS Service.

    certsvc
  • Run certutil -crl to publish new CRLs.

    certutil-crl

By using GUI:

  • Open Certificate Authority (CA) Console. To do so, open Server Manager -> Tools -> Certification Authority.

    Certification Authority
  • Right-click on Revoked Certificates and open properties.

    Revoked Certificates properties
  • On the properties page, uncheck “Publish Delta CRLs.”

    To publish Delta and new CRLs
  • Click on Apply and OK.
  • To Publish new CRLs, Right click on Revoked Certificates -> All tasks -> Publish.

    Publish CRLS
  • Click on New CRL to publish.

    Published Certificate Revocation List (CRL)

If you need help with your PKI environment, feel free to email us at info@encryptionconsulting.com.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Nishiket Kumar is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

Let's talk