Q: How can I see all the certificate revocation lists (CRLs)—even those that expired—issued by my Windows Certification Authority (CA)?

A: In Windows Server 2003 and earlier, the Windows CA keeps a copy of all CRLs, including those that expired. In Windows Server 2008 and later, the Windows CA deletes the expired CRL by default when a new CRL is issued. However, you can opt to preserve expired CRLs by using the Certutil command-line utility. You just need to run these commands:

  1. certutil -setreg CA\CRLFlags -CRLF_DELETE_EXPIRED_CRLS
  2. net stop certsvc
  3. net start certsvc

To look at the CRL information stored on your CA, you can use the command:

  1. certutil -view -out "CRLThisPublish,CRLNumber,CRLCount" CRL

Figure 1 shows sample results.

Figure 1: Reviewing CRL Information from the Command Line

The Microsoft Management Console (MMC) Certification Authority snap-in won't display the CRL history by default. You can change this behavior if you start the Certification Authority snap-in with the /e switch, as follows:

  1. certsrv.msc /e

Afterward, the CRL history will be displayed, as shown in Figure 2.

Figure 2: Reviewing CRL Information from the Certification Authority Snap-In