By default, the certification authority stores all revocation lists that have not yet expired in the certification authority database.
Under certain circumstances, e.g. due to a misconfigured script, a large number of blacklists are stored in the database in this way, which can lead to a corresponding growth of the database (e.g. if large blacklists are recreated very often).
Database schema for the revocation list table
To make queries against the CRL table of the certification authority database, one must first identify the required database fields. This can be done with the following command:
certutil -scheme CRL
List the blacklists in the blacklist table
An overview of the revocation lists held in the CRL table can then be obtained with the following command, for example:
certutil -view -out "CRLNumber,CRLThisUpdate,CRLNextUpdate" CRL csv
Deletion of entries from the revocation list table
A revocation list can be deleted from the certification authority database by specifying the revocation list number with the following command line command.
certutil -deleterow {CRL number} CRL
Determine and modify storage behavior for blacklists
Whether the certification authority removes expired revocation lists from the certification authority database (default setting) or not is determined by the flag CRLF_DELETE_EXPIRED_CRLS iner of the CRLFlags registry value. This can be determined with the following command.
certutil -v -getreg CA\CRLFlags
This command can be used to disable the deletion of expired revocation lists from the certification authority database:
certutil -setreg CA\CRLFlags -CRLF_DELETE_EXPIRED_CRLS
This command can be used to re-enable the deletion of expired revocation lists from the certification authority database:
certutil -setreg CA\CRLFlags +CRLF_DELETE_EXPIRED_CRLS
The changes become active only after restarting the certification authority service.
English 
Deutsch
2 thoughts on “Einsicht in die Sperrlisten-Tabelle der Zertifizierungsstellen-Datenbank”
Comments are closed.