Reducing the time to perform a CRL check on isolated networks

  • Article

 

 

Hi everyone,

 

Writing today to pass along a solution to reduce the time for performing certificate revocation list processing (CRL checking).   This topic has been covered in other blogs in length in ways to lock down servers to prevent outgoing calls for CRL processing and delays.  Here are a few for example:

https://blogs.msdn.com/b/chaun/archive/2014/05/01/best-practices-for-crl-checking-on-sharepoint-servers.aspx

https://blogs.technet.com/b/exchange/archive/2010/05/14/3409948.aspx

 

One additional option that we have been recommending is using the Public Key Policies on the machine to reduce the timeout when machines are blocking all outgoing traffic either through a proxy server or firewall.   For system administrators, this can be reduced from the default of 15 seconds to a smaller number for example, 1 second.   The settings are shown below inside of the MMC console snap-in:

 

CRL_FINAL

 

 

The walkthrough on how to get to the dialog is also listed here on TechNet:

      https://technet.microsoft.com/en-us/library/cc771429.aspx

 

 

So before giving up hope with enabling the firewall or doing other changes to disable CRL altogether, consider just reducing the timeout setting as an option.  

 

 

Thank you,

Nathan

 

---------------------------------------------------------------------------------------------------------

Follow us on Twitter, www.twitter.com/WindowsSDK.