Many customers must perform a regulatory audit annually to comply with industry standards and business trends. Recently we were contacted by one of our customers, who was not able to view all of Certificate Revocation Lists (CRLs) issued by their Enterprise Certification Authority. The customer mentioned they were able to view these CRLs on a Windows Server 2003 Certification Authorities but cannot view them on Windows Server 2008 R2 Enterprise Certification Authorities.

 

Windows Server 2008 and Windows Server 2012 Certification Authorities by default delete expired CRLs when a new one is issued. This option can be reversed to preserve expired CRLs, but has to be implemented before your audit. To preserve expired CRLs run the following commands:

certutil –setreg CA\CRLFlags -CRLF_DELETE_EXPIRED_CRLS

net stop certsvc

net start certsvc

 

Furthermore, you can view CRLs by running this command:

certutil -view -out “CRLThisPublish,CRLNumber,CRLCount” CRL


The Certification Authority Console by default will not display Certificate Revocation List (CRL)history as noted in the screenshot below.

You can change this behavior by running certsvc.msc /e from