Viewing Expired Certificate Revocation List (CRL)
Many customers must perform a regulatory audit annually to comply with industry standards and business trends. Recently I was contacted by one of my customers, who was not able to view all of Certificate Revocation Lists (CRLs) issued by their Enterprise Certification Authority. The customer mentioned they were able to view these CRLs on a Windows Server 2003 Certification Authorities but cannot view them on Windows Server 2008 R2 Enterprise Certification Authorities.
Windows Server 2008 and Windows Server 2012 Certification Authorities by default delete expired CRLs when a new one is issued. This option can be reversed to preserve expired CRLs, but has to be implemented before your audit. To preserve expired CRLs run the following commands:
certutil –setreg CA\CRLFlags -CRLF_DELETE_EXPIRED_CRLS
net stop certsvc
net start certsvc
Furthermore, you can view CRLs by running this command:
certutil -view -out "CRLThisPublish,CRLNumber,CRLCount" CRL
The Certification Authority Console by default will not display Certificate Revocation List (CRL)history as noted in the screenshot below.
You can change this behavior by running certsvc.msc /e from
Amer F Kamal
Senior Premier Field Engineer