The validity of certificates can be checked either by OCSP (Online Certificate Status Protocol) or classically by revocation list (CRL). The basic revocation list of a Microsoft Windows certification authority is valid for 7 days by default. In some cases this is too long, as a certificate may still be considered valid for up to 7 days after it has been revoked.
Specifically, this problem occurred with a VPN solution that uses certificates for the authentication of computers. This VPN solution only supports the basic revocation list and no delta revocation lists. If the VPN solution supported delta revocation lists or OCSP, there would be no need to adjust the validity of the basic revocation list.
Changing the validity of the blacklist
The PowerShell module PSPKI is particularly suitable for the administration of Windows certification authorities. The module contains numerous CMDLets for the administration of a CA and the management/issuing of certificates. I therefore usually install PSPKI directly on the certification authority. PSPKI can be downloaded here:
To install, simply copy the PSPKI folder from the GitHub repository into the directory "C:\Windows\System32\WindowsPowerShell\v1.0\Modules":
In PowerShell, the module can now be imported with the following command:
import-modules pspki
The following command can be used to check the current validity of the blacklists:
Get-CertificationAuthority -ComputerName COMPUTERNAME | Get-CRLValidityPeriod
The following command can be used to reduce the validity of the basic blacklist to one day and the validity of the delta blacklist to 6 hours:
Get-CertificationAuthority -ComputerName COMPUTERNAME | Set-CRLValidityPeriod -BaseCRL "1 Days" -DeltaCRL "6 Hours"
The certification authority must be restarted once for the change to be applied:
Get-CertificationAuthority -ComputerName COMPUTERNAME | Restart-CertificationAuthority
As soon as the blacklists are published, the basic blacklist is only valid for one day and the delta blacklist for 6 hours.
Note: However, this setting can also lead to problems in large environments with many entries in the revocation list. Systems now download the revocation lists much more frequently, which can lead to a high load with large revocation lists and many systems. However, if only a few certificates are revoked, for example if a computer is lost or stolen, then reducing the validity of the revocation lists should have little effect.
Leider gibt es im Modul PSPKI (Version 4.2.0) kein Command „Get-CertificationAuthority“.
Habe den Fehler gefunden: „This command is not available in non-domain environments“