Providing clients with the information that they need to determine whether to trust a certificate is one of the most important security functions of a certification authority (CA) and public key infrastructure (PKI). For the administrator, this means promptly revoking untrusted certificates that have not reached their scheduled expiration dates and publishing this information in certificate revocation lists (CRLs). Monitoring and addressing problems with CRL publication and availability is a critical aspect of PKI security.
Configure AD CS to use user-specified CRL publication values
Active Directory Certificate Services (AD CS) is running but is using default certificate revocation list (CRL) publication period settings instead of the user-specified values. To fix this error:
Check and, if necessary, correct CRL publication settings.
If necessary, modify CRL registry keys.
Check and correct CRL publication settings
To perform this procedure, you must have Manage CA permission, or you must have been delegated the appropriate authority.
To check and fix correct publication settings:
On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.
Right-click Revoked Certificates, and click Properties.
Note the listed CRL and delta CRL publication intervals.
If one of the settings is not valid, use the procedure "Modify CRL registry settings" to configure a valid setting.
To use the Certutil command-line tool to determine the configured CRL publication settings:
On the computer hosting the CA, click Start, type cmd and press ENTER.
Type certutil -getreg ca\crlperiod* and press ENTER, and then type certutil -getreg ca\crldeltaperiod* and press ENTER.
If one of these settings is not valid, use the following procedure to configure a valid setting.
Modify CRL registry keys
To perform this procedure, you must have membership in local Administrators, or you must have been delegated the appropriate authority.
To set valid registry keys:
Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
On the computer hosting the CA, click Start, type regedit, and then press ENTER.
Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\ Configuration\CA name.
Enter valid registry values for CRLPeriod and CRLDeltaPeriod. Valid values are Years, Months, Weeks, Days, or Hours.
Enter valid registry values for CRLPeriodUnits and CRLDeltaPeriodUnits. Valid values are integers (1, 15, or 31, for example).
Note: The text CA name in the actual registry key will be replaced by the name of your CA.