Enterprise CA generates multiple CRL's

Question

Enterprise CA generates multiple CRL's

Hi!
I have PKI infrastructure:

Offline standalone root CA. Non Domain, windows server 2022
Online subordinate issuing enterprise CA. Domain, windows server 2022

And I see something weird: there are multiple CRLs in C:\Windows\system32\CertSrv\CertEnroll folder.
These names are (SubCA - is the name of subordinate CA):

SubCA(1).crl
SubCA(1)+.crl
SubCA(2).crl
SubCA((2)+.crl

At first I thought some of them were outdated CRLs. But after manual publish CRL I saw that all of this CRL were updated.
In Extensions tab at CA property I have next properties for CDP (I show only where the checkbox is checked):

User's image

At pkiview.msc console I see next:
User's image

So, my question is: Why I have two sets of CRL files?
It's not that it bothers me much. But I would like to understand: why is this happening there?

1 answer

Your answer

Answer 1

Hello Ebrenii,

Regarding the multiple CRL files you're seeing in C:\Windows\system32\CertSrv\CertEnroll, with names like:

SubCA(1).crl

SubCA(1)+.crl

SubCA(.crl

SubCA((2)+.crl

This behavior is typically caused by multiple CDP entries in your CA's Extensions tab that use different formatting tokens (like <CRLNameSuffix> and <CaName>), especially when publishing both base CRLs and delta CRLs to the same location. Each combination of these tokens can result in a uniquely named file—even if they point to the same logical CRL data.

Here’s what’s likely happening:

Each CDP entry with a checked “Publish CRLs to this location” or “Publish Delta CRLs to this location” generates a CRL file using its own naming pattern.

If multiple CDP entries resolve to the same folder path but use different name suffixes or formatting, you’ll see multiple CRL files—even though they’re all updated simultaneously when you publish.

This is expected behavior and not harmful, but it can be cleaned up by consolidating your CDP entries to use consistent naming and paths.

To reduce clutter:

Review your CDP entries in the Extensions tab and ensure only the necessary ones are checked.

Use consistent formatting tokens to avoid redundant file names.

You can also manually clean up unused CRL files if you're confident they’re not referenced in AIA/CDP locations or by clients.

Your pkiview.msc output showing all locations as “OK” confirms that your distribution points are functioning properly, so this is more of a cosmetic/configuration quirk than a functional issue.

=====

If this explanation helps clarify things, feel free to hit “Accept Answer” so others can benefit too 😊

T&B, Harry.

Евгений Котляревский 61 Reputation points

2025-09-16T15:50:04.7966667+00:00

@Harry Phan , Thank you for your detailed answer.

It follows that if I have several CDP entries in the "extensions" tab with “Publish CRLs to this location” or “Publish Delta CRLs to this location” options checked, so there will be several CRL's sets created. But As you can see from my screenshots I have only one CDP entry, which publish CRLs to file system (there another one, but it publishs CRLs to LDAP, not to file system).
So the question is still open.
And you are absolutely right: the problem is purely cosmetic. )
Brain Storm 0 Reputation points

2026-01-16T05:35:24.3766667+00:00

The four CRLs listed here are actually from two different CA certificates. The first one is the full CRL and the second one SubCA2+.crl) is the delta. The validities and publishing intervals are configured in the registry. The SubCA(2).crl date very likely has a later date and is the current configuration while SubCA1 is the former and older date. Take a Look at your C certificates, by open the properties in the UI of the CA and looking at the certificates (plural in this case).

Share via

Enterprise CA generates multiple CRL's

1 answer

Your answer