This article discusses the reasons a certificate revocation list (CRL) can become large. The contents of this article include the following:

What makes large CRL?

There is really one item that makes the CRL grow: revoked certificates. However, expired certificates are removed from the CRL, unless they are specified to be retained in the CRL. By default there are two types of Enhanced Key Usage (EKU) certificates that are retained. They have the following object identifiers (OIDs) and purposes:
  • 1.3.6.1.5.5.7.3.3 Code Signing
  • 1.3.6.1.4.1.311.61.1.1 Kernel Mode Code Signing
There is also the All Purposes certificate purpose (EKU), that would include those two OIDs and certificates issued with that EKU will be retailed in the CRL.

Further, you can configure a certification authority to retain expired certificates in the CRL. If you run the following command:
    certutil –setreg ca\CRLFlags +CRLF_PUBLISH_EXPIRED_CERT_CRLS
To change that, you can run the following command:
    certutil –setreg ca\CRLFlags - CRLF_PUBLISH_EXPIRED_CERT_CRLS

By default, certificates that are revoked and not yet expired as well as certificates that have the EKUOIDsForPublishExpiredCertInCRL = 1 in them, will remain in the CRL. When you are configuring certificate templates or making certificate requests, you should ensure that you configure them to expire in an appropriate amount of time. For example, you would not want to make a user certificate valid for three years, if you have turn-over every three months and you plan to revoke the certificate when people leave or no longer need the certificate. There are two options here. If it is an internal employee, you could simply disable the user account and not worry about revoking the certificate. The other option is to simply give shorter lifespans to the certificates. This will cause more frequent renewals for long term members of the organization, but it will cut down on the CRL size for users that are short term employees. Furthermore, you can automate certificate renewal within an Active Directory Domain Services (AD DS) forest (Configure Certificate Autoenrollment) and even beyond forest boundaries starting in Windows Server 2012 and Windows 8 (Test Lab Guide Mini-Module: Cross-Forest Certificate Enrollment using Certificate Enrollment Web Services).

Return to Contents

Additional References

Return to Contents