Publishing Root CA’s Certificate Revocation List (CRL)

Reading Time : 4 minutes

Organizations must update their Root Certification Authority’s (CAs) CRL once or twice a year. This operation is important and necessary to ensure that the Microsoft PKI remains operational and trusted. If the Root CA’s CRL is not published on time, it may cause the operation to break and halt all processes. The PKI would not be trusted anymore, and this could be catastrophic for the operation.

The whole PKI and the infrastructure that uses its certificate would become unoperational, and the organization may face an outage.


First, we will open PKIView.msc and check when the Root CA’s CRL expires.

Check when the Root CA’s CRL expires

Publish CRL on Root CA

  1. Next, we navigate to the Root CA and open command prompt on administrative privileges.

    Navigate to the Root CA and open command prompt
  2. We run the command certutil -crl to publish the Root CA’s CRL. This will publish a new CRL for the Root CA.

    Run the command 
certutil -crl
  3. We will then open up the folder in “C:\Windows\System32\CertSrv\CertEnroll\” to check if the CRL is present.

    Check if the CRL is present in CertEnroll folder
  4. We will open the CRL file to check the date of expiration.

    We will open the CRL file to check the date of expiration
  5. Now, we will copy the file onto a USB drive or temporary folder. Since Root CA is supposed to be offline, we will advise that the file can be copied to a USB drive so we can copy it onto our Issuing CAs and CDP servers.

Copy CRL to Issuing CA and CDP Servers.

Note: Instead of Issuing CA, we can also use any machine that is joined to the domain.

  1. We will copy the CRL file into one of our Issuing CAs (or any other domain joined machine).

    We will copy the CRL file into one of our Issuing CAs
  2. We will open a command prompt with administrative privileges and navigate to the folder containing the CRL file.

  3. Now we will run the command certutil -f -dspublish “*.crl”

    Note: In this case, CA01 is the hostname of the RootCA.

  4. Next, we copy the CRL to each server, which serves as a CDP/AIA point.

  5. Our CRL files should be circulated to every location needed for the PKI to function.


  1. Now, we will navigate back to the issuing CA, refresh PKIView.msc, and check when the new CRLs are expiring.

    Check when the new CRLs are expiring

    The new dates should now be different from the dates we noted in the prerequisites.

  2. We will now open a command prompt with administrative privileges on Issuing CA and run the command certutil -crl

    Open a command prompt with administrative privileges on Issuing CA
  3. Once both of them are satisfied, we can conclude this objective to be completed.


Publishing your Root CA’s CRL on time is necessary for a PKI to function properly and remain operational. Since an organization’s infrastructure depends on PKI, it becomes a crucial part of the organization’s operations, as a non-functioning PKI can result in outages throughout the organization. This article should help organizations publish their Root CA’s CRL without any major hurdles.

Free Downloads

Datasheet of Public Key Infrastructure

We have years of experience in consulting, designing, implementing & migrating PKI solutions for enterprises across the country.

PKI Blogs Footer Banner

About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo