Jayant
Tue Jul 22 16:21:16 CDT 2003
I tried the following. I have following values of the
following registry entries on my CA (Windows 2000 Ent CA):
CRLPeriod REG_SZ = Hours
CRLPeriodUnits REG_DWORD = 1
CRLOverlapPeriod REG_SZ = Hours
CRLOverlapUnits REG_DWORD = 1
Note this CA do not do deltas.
After adding the CRLOverlapxx reg values I bounced the
service and forced a CRL publish at 2pm PST but the CRL
validity of this latest CRL shows up as:
Effective Date: Tuesday, July 22, 2003 11:39:21 AM
Next update: Tuesday, July 22, 2003 9:24:21 PM
These times dont seem to co-relate to the above values.
Particularly the next update is way off from what I would
have expected. What am I missing?
TIA.
Jayant
>-----Original Message-----
>Thanks much.
>
>One quick question: Are these available/applicable to
>Windows 2000 (Enterprise) CA ? Reason I ask is I dont
>notice these in its registry key (by default) but are
>present in Windows 2003 CA's registry key.
>
>rgds,
>Jayant
>
>>-----Original Message-----
>>The CA crl publicatio is controlled by the following
>registry keys in
>>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cert
S
>vc\Configuration\<
>>caname>
>>
>> CRLPeriod REG_SZ = Weeks
>> CRLPeriodUnits REG_DWORD = 1
>>
>> CRLOverlapPeriod REG_SZ = Hours
>> CRLOverlapUnits REG_DWORD = 0
>> CRLDeltaPeriod REG_SZ = Days
>> CRLDeltaPeriodUnits REG_DWORD = 1
>> CRLDeltaOverlapPeriod REG_SZ = Minutes
>>
>> CRLDeltaOverlapUnits REG_DWORD = 0
>> CRLNextPublish REG_BINARY = 7/28/2003 2:32 PM
>> CRLDeltaNextPublish REG_BINARY = 7/22/2003 2:32 PM
>>
>>The CRLOverlapPeriod if nonzero specifies the
replication
>delay that you
>>want to add to the CRLPeriod and CRLDeltaPeriod.
>>1) You will need to restart the CA once you set the new
>value for the CA to
>>use them
>>2) Secondly client machines will not start fetching the
>CRLs if they have a
>>valid old CRL that has not yet expired
>>
>>
>>
>>--
>>This posting is provided "AS IS" with no warranties and
>confers no rights.
>>Use of any included samples is subject to the terms
>specified at
>>
http://www.microsoft.com/info/copyright.htm"
>>"Jayant Sane" <jayant.sane@intel.com> wrote in message
>>news:027a01c3508c$636e91a0$a501280a@phx.gbl...
>>> Hi,
>>>
>>> MS Certificate Authority's documentation has following
>on
>>> it: "..there is a difference between a CRL publish
>period
>>> and the validity period of a CRL. The publish period
of
>a
>>> CRL is established by the CA administrator. However,
the
>>> validity period of the CRL is extended from the publish
>>> period to allow for Active Directory replication. By
>>> default, Certificate Services extends the publish
period
>>> by 10% (up to a maximum of 12 hrs) to establish the
>>> validity period....There are registry entries which
>allow
>>> an administrator to control the variance between
publish
>>> period and validity period to allow for slower
directory
>>> replication. Refer to the Windows 2000 Resource Kits
for
>>> information about these registry entries. "
>>>
>>> I am interested in knowing the configuration entries to
>>> control the actual validity period. I looked into
>Windows
>>> 2000 Server resource kits but could not find it
>anywhere.
>>> I noticed a registry value called CRLEditFlags in the
>CA's
>>> configuration registry key but dont have any
>documentation
>>> on it explaining how I can do the above.
>>>
>>> Also for my test CA the validity period is not being
>>> extended by 10% of the publish period - it seems quite
>>> arbitrary.
>>>
>>> Any help will be appreciated.
>>>
>>> rgds,
>>> Jayant
>>
>>
>>.
>>
>.
>