AD CS: The CRL publication interval for a stand-alone root CA should be at least 30 days

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Certificate Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server® 2008 R2 and Windows Server® 2012


Active Directory Certificate Services






To enhance security, a root certification authority (CA) should remain offline except when needed to issue or renew a certificate. When a root CA is offline, certificate revocation list (CRL) publication intervals should be extended beyond the default seven-day period.

The intention of keeping a stand-alone root CA offline is to reduce its exposure to security risks. Deployment as an offline CA is typically appropriate only for a stand-alone root CA because of the greater relative value of a root CA and because root CA management tasks can be performed infrequently. One of the management tasks that require the root CA to be online is CRL publication.


An offline or stand-alone CA may not be able to automatically publish updated CRLs.  If updated CRLs are not published to their CRL distribution points, revocation checks on certificates issued by the CA may fail.


Use the Certification Authority snap-in to set the CRL publication interval to 30 days or longer.

To configure the CRL publication interval

  1. On the CA, open the Certification Authority snap-in.

  2. In the console tree, double-click the root CA to display certificate containers.

  3. Right-click the Revoked Certificates container, and click Properties.

  4. Next to CRL publication interval, type a number that is 30 or larger, and select Days.

  5. Click OK to save changes.

Additional references