(too old to reply)
CRL published frequently
Ingo Huber
2008-11-28 11:06:13 UTC
Hi,

since a few day we have the problem that our Issuing CA published at some
days the CRL every 5 - 10 minutes for a duration of 2 - 4 hours without
manuel activity. After this is quite and work normal for a few days.

Our CRL distribution period is 7 day with an overlap period of 3 days
without delta revocation lists.

Our environment isa offline Root CA and one Issuing CA, both Windows Server
2003 Enterprise Edition SP2 and protected with an nCipher NetHSM

Any ideas ?

Thank you
Brian Komar
2008-11-28 13:41:42 UTC
Someone has been messing with the settings.
Run the following to determine the current settings:
certutil -getreg ca\ValidityPeriodUnits
certutil -getreg ca\ValidityPeriod

You should see values of 7 and days

You can change them back to the desired by re-running your
post-configuration script
Brian
Post by Ingo Huber
Hi,
since a few day we have the problem that our Issuing CA published at some
days the CRL every 5 - 10 minutes for a duration of 2 - 4 hours without
manuel activity. After this is quite and work normal for a few days.
Our CRL distribution period is 7 day with an overlap period of 3 days
without delta revocation lists.
Our environment isa offline Root CA and one Issuing CA, both Windows Server
2003 Enterprise Edition SP2 and protected with an nCipher NetHSM
Any ideas ?
Thank you
Brian Komar
2008-11-28 14:03:17 UTC
Please disregard the previous answer.... too early for posting <G>

Someone definitely changed your settings.

You want to run the following commands to check your current CRL Publication
settings

certutil -getreg CA\CRLPeriodUnits
certutil -getreg CA\CRLPeriod
certutil -getreg CA\CRLOverlapPeriod
certutil -getreg CA\CRLOverlapUnits

Make sure that these match your design of 7 days with a 3 day overlap

Brian
Post by Brian Komar
Someone has been messing with the settings.
certutil -getreg ca\ValidityPeriodUnits
certutil -getreg ca\ValidityPeriod
You should see values of 7 and days
You can change them back to the desired by re-running your
post-configuration script
Brian
Post by Ingo Huber
Hi,
since a few day we have the problem that our Issuing CA published at some
days the CRL every 5 - 10 minutes for a duration of 2 - 4 hours without
manuel activity. After this is quite and work normal for a few days.
Our CRL distribution period is 7 day with an overlap period of 3 days
without delta revocation lists.
Our environment isa offline Root CA and one Issuing CA, both Windows Server
2003 Enterprise Edition SP2 and protected with an nCipher NetHSM
Any ideas ?
Thank you
Ingo Huber
2008-12-01 06:09:00 UTC
Hi Brian,

thank you for the answer.

I've lokked on the Issuing CA, the values was correctly set to 7 Days for
CRL generation and 3 Days for Overlap Period.
Post by Brian Komar
Please disregard the previous answer.... too early for posting <G>
Someone definitely changed your settings.
You want to run the following commands to check your current CRL Publication
settings
certutil -getreg CA\CRLPeriodUnits
certutil -getreg CA\CRLPeriod
certutil -getreg CA\CRLOverlapPeriod
certutil -getreg CA\CRLOverlapUnits
Make sure that these match your design of 7 days with a 3 day overlap
Brian
Post by Brian Komar
Someone has been messing with the settings.
certutil -getreg ca\ValidityPeriodUnits
certutil -getreg ca\ValidityPeriod
You should see values of 7 and days
You can change them back to the desired by re-running your
post-configuration script
Brian
Post by Ingo Huber
Hi,
since a few day we have the problem that our Issuing CA published at some
days the CRL every 5 - 10 minutes for a duration of 2 - 4 hours without
manuel activity. After this is quite and work normal for a few days.
Our CRL distribution period is 7 day with an overlap period of 3 days
without delta revocation lists.
Our environment isa offline Root CA and one Issuing CA, both Windows Server
2003 Enterprise Edition SP2 and protected with an nCipher NetHSM
Any ideas ?
Thank you