Viewing the certificate authority database revocation list table

Author Uwe GradeneggerPosted on Categories Troubleshooting, Certification Authority Database, Certification Authority MaintenanceTags

By default, the certification authority stores all revocation lists that have not yet expired in the certification authority database.

Under certain circumstances, e.g. due to a misconfigured script, a large number of blacklists are stored in the database in this way, which can lead to a corresponding growth of the database (e.g. if large blacklists are recreated very often).

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Database schema for the revocation list table

To make queries against the CRL table of the certification authority database, one must first identify the required database fields. This can be done with the following command:

certutil -scheme CRL

List the blacklists in the blacklist table

An overview of the revocation lists held in the CRL table can then be obtained with the following command, for example:

certutil -view -out "CRLNumber,CRLThisUpdate,CRLNextUpdate" CRL csv

Deletion of entries from the revocation list table

A revocation list can be deleted from the certification authority database by specifying the revocation list number with the following command line command.

certutil -deleterow {CRL number} CRL

Determine and modify storage behavior for blacklists

Whether the certification authority removes expired revocation lists from the certification authority database (default setting) or not is determined by the flag CRLF_DELETE_EXPIRED_CRLS iner of the CRLFlags registry value. This can be determined with the following command.

certutil -v -getreg CA\CRLFlags

This command can be used to disable the deletion of expired revocation lists from the certification authority database:

certutil -setreg CA\CRLFlags -CRLF_DELETE_EXPIRED_CRLS

This command can be used to re-enable the deletion of expired revocation lists from the certification authority database: 

certutil -setreg CA\CRLFlags +CRLF_DELETE_EXPIRED_CRLS

The changes become active only after restarting the certification authority service.

Related links:

2 thoughts on “Einsicht in die Sperrlisten-Tabelle der Zertifizierungsstellen-Datenbank”

  1. Pingback: (Mass) deletion of entries in the certification authority database (certificates, requirements, revocation lists) - Uwe Gradenegger
  2. Pingback: Basics: Checking the revocation status of certificates - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish