Updating out of date, ADCS certificate revocation list

Question

If the CRL on an internal Active Directory CA has been out of date for sometime. Will there be any issues if an up to date CRL is published. What would be the safest way to go about updating the CRL Thanks.

Answer 1

Hi You can update CRL without any issues. It’s important to keep it up to date to let clients able to identify revoked certificates. It is recommended to keep CRL up to date automatically.

Please don’t forget to accept helpful answer

Answer 2

Hello james gledson,

Thank you for posting in Q&A forum.
*
If the CRL on an internal Active Directory CA has been out of date for sometime. Will there be any issues if an up to date CRL is published.* A: If there is any certificate is revoked during this time, then after you update the CRL to the newest file, and if this certificate can access the newest CRL file and Delta CRL file when it is used, then this certificate may not be used (because it checks that this certificate is revoked).

If there is no any certificate is revoked during this time, then there will be no impact. What would be the safest way to go about updating the CRL.
A: You can right click Revoked Certificate container and select Publish\All Tasks and select New CRL\Click OK.*
*
And right click Revoked Certificate container and select Publish\All Tasks and select Delta CRL only\Click OK.

Or you can publish CRL with command:
Certutil -config "CAMchineName\CAName" -CRL Certutil -config "CAMchineName\CAName" -CRL delta

For example:

I hope the information above is helpful. If you have any questions or concerns, please feel free to let us know. Best Regards, Daisy Zhou

If the Answer is helpful, please click "Accept Answer" and upvote it.