Windows Server 2008 and Windows Server 2012 Certification Authorities by default delete expired CRLs when a new one is issued. This option can be reversed to preserve expired CRLs, but has to be implemented before your audit. To preserve expired CRLs run the following commands:
certutil –setreg CA\CRLFlags -CRLF_DELETE_EXPIRED_CRLS
net stop certsvc
net start certsvc
Furthermore, you can view CRLs by running this command:
certutil -view -out "CRLThisPublish,CRLNumber,CRLCount" CRL
The Certification Authority Console by default will not display Certificate Revocation List (CRL)history as noted in the screenshot below.
You can change this behavior by running certsvc.msc /e from
No comments:
Post a Comment