How to disable Delta CRL

What is a CRL and Delta CRL?

A list of digital certificates that have had their issuing certificate authority (CA) revoke them before their actual or assigned expiration date is known as a certificate revocation list (CRL).

A Delta CRL is a supplemental CRL that is optional and only includes the updates made since the last Base CRL update. The standard CRL we’ve been discussing is called “Base” about a delta CRL if one is present.

Steps to Disable Delta CRL

Delta CRL can be disabled either by running certain commands on an administrative command prompt or by using GUI, which is discussed below:

By Command Prompt:

• Set Delta CRL Validity to zero by running this command on an administrative command prompt: Certutil -setreg CA\CRLDeltaPeriodUnits 0

  

• Run net stop certsvc and net start certsvc to restart the ADCS Service.

  

• Run certutil -crl to publish new CRLs.

  

By using GUI:

• Open Certificate Authority (CA) Console. To do so, open Server Manager -> Tools -> Certification Authority.

  

• Right-click on Revoked Certificates and open properties.

  

• On the properties page, uncheck “Publish Delta CRLs.”

  

• Click on Apply and OK.

• To Publish new CRLs, Right click on Revoked Certificates -> All tasks -> Publish.

  

• Click on New CRL to publish.

  

If you need help with your PKI environment, feel free to email us at info@encryptionconsulting.com.