Q: How can I see all the certificate revocation lists (CRLs)—even those that expired—issued by my Windows Certification Authority (CA)?
A: In Windows Server 2003 and earlier, the Windows CA keeps a copy of all CRLs, including those that expired. In Windows Server 2008 and later, the Windows CA deletes the expired CRL by default when a new CRL is issued. However, you can opt to preserve expired CRLs by using the Certutil command-line utility. You just need to run these commands:
- certutil -setreg CA\CRLFlags -CRLF_DELETE_EXPIRED_CRLS
- net stop certsvc
- net start certsvc
To look at the CRL information stored on your CA, you can use the command:
- certutil -view -out "CRLThisPublish,CRLNumber,CRLCount" CRL
Figure 1 shows sample results.
The Microsoft Management Console (MMC) Certification Authority snap-in won't display the CRL history by default. You can change this behavior if you start the Certification Authority snap-in with the /e switch, as follows:
- certsrv.msc /e
Afterward, the CRL history will be displayed, as shown in Figure 2.