I have a Windows ADDS CA that for some reason is publishing revoked but expired certificates in the CRL and I can't for the life of me figure out why. Here is my configuration:
- Server 2012 R2
- Standalone CA
- It is the Root CA with a self signed certificate (i.e. it is the top of the trust hierarchy)
- CRLF_PUBLISH_EXPIRED_CERT_CRLS is NOT set
- The EKUOIDsForPublishExpiredCertInCRL key only contains the default OIDs (software signing and kernel signing I believe). The certs in question here are IPSec certs.
- We do NOT publish delta CRLs - only full CRLs
- CRLs have a period of 35 days with 7 days of overlap
As best I can tell, based on the above settings expired certs should not be in the CRL. Especially not for the duration we're seeing (We have revoked certificates that expired in 2018 that are still appearing in the CRL!).
Are there other settings that could cause this? Generally speaking this is a pretty "vanilla" CA. I know the simplest solution would simply be to delete the expired certificates from the CA but at this point I'm more curious about why this happening at all as it appears it should not be...
CRLF_PUBLISH_EXPIRED_CERT_CRLS is NOT set
given that a CA does not publish this unless it is set, the obvious step is to check the massive truckload of CRL settings located at the backing registry value at:HLKM\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\NameOfYourCA
. Also this should be tested on a version that is on-topic. 2012 is gone forever and is off topic.Get-CARole -Name CAName | Get-CARoleRevocationExtension
. If you want to i can provide you with a PowerShell script to revoke the expired certs, let me know