Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Friday, November 24, 2017 10:07 AM
Hi All,
I am looking for the information related to revocation of certificates. For example lets say we have around 1000 clients for which we have to revoke certificates because of some internal requirement. Is there a way to determine the impact this will have on the size of Base CRL. Secondly is there a guideline for managing the CRL size like for example out of 1000 certificates say 200 certs are already expired and rest will be expiring in next few months. Once the certificate is expired will that get removed from CRL list automatically.
What is the best way to handle the certificates which we don't want clients to use in an ongoing process.
Friday, November 24, 2017 1:36 PM ✅Answered
The CRL size depends, of course, on how many certificates you are revoking. In your case, the size of your client base is unimportant except when considering the size of the CRL (Certificate Revocation List). In your example of some 1000 clients, 1000 certs, and 200 expired certs the size of your CRL should be minimal even if you’ve revoked all but one! So, impact to your clients should be almost non-existent.
“Based on some internal requirement” should be clearly and completely referenced in your Certificate Policy/Certification Practice Statement. Based on this post, you should review this requirement and understand exactly when and why you revoke a certificate in your environment. Expired certificates are expired and invalid, and unless there is a specific qualified reason (and there are some cases, though probably not in your case) the expiration of a certificate is not a reason to revoke it.
Also, if you don’t want a certificate available to clients remove it from the server or device. There may be reasons for removing a user’s certificate (like threats of impersonation) but these need to be considered carefully.
Good reading would be here: https://technet.microsoft.com/en-us/library/ee619754(v=ws.10).aspx
-Bill
Monday, November 27, 2017 6:50 AM ✅Answered
Hi,
The length of your CRL will be directly proportional to the number of certificates you've revoked. There's no limit on the number of Certificates you can sign, therefore there's no limit on the number you can revoke. By the fact itself, there's no limit on the length of your CRL.
And agree with Bill, if you don’t want a certificate to be used any more, you could just delete from clients or directly revoke it.
Best regards,
Wendy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
Wednesday, November 29, 2017 8:30 AM
Hi,
Just checking in to see if the information provided was helpful. And if the replies as above are helpful, we would appreciate you to mark them as answers, please let us know if you would like further assistance.
Best Regards,
Wendy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
Friday, December 1, 2017 7:06 AM
Hi,
Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions. If no, please reply and tell us the current situation in order to provide further help.
Best Regards,
Wendy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
Monday, December 4, 2017 8:20 AM
Hi,
Since the thread is quite for days, can we think that it is fixed? If that is the case, please "mark it as answer" to help other community members find the helpful reply quickly. And we’d love to hear your feedback about the solution if you solve it by own method.
Thanks for your understanding and efforts.
Best regards,
Wendy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
Monday, December 4, 2017 11:21 AM
Hi,
Thanks for the replies. Based on our testing it is confirmed that the if we revoke expired certificates those will not be added to CRL. Secondly when the unexpired revoked certificates are expired those are removed from CRL so the size of the CRL will change based on the certificate expiry.