Basics: Delta revocation lists

Certificate revocation lists (CRLs) are used to remove issued certificates from circulation before the end of their validity period.

A CRL is a signed list of the serial numbers of certificates that have been revoked by the certification authority. The revocation list has an expiration date (usually a few days short) and is reissued and signed by the associated certification authority at regular intervals.

Certificate revocation lists can reach a considerable size if the volume of revoked certificates is high (as a rule of thumb, you can expect about 5 megabytes per 100,000 entries). The regular download of large certificate revocation lists by subscribers can generate a large network load. To address this problem, there is the concept of delta revocation lists.

Sometimes it is necessary for a certificate issued by a certification authority to be withdrawn from circulation even before its expiration date. To make this possible, a certification authority keeps a revocation list. This is a signed file with a relatively short expiration date, which is used in combination with the certificate to check its validity.


The idea with delta revocation lists is to extend the publication intervals of the (supposedly large) base revocation list so that it needs to be downloaded less frequently by participants. Changes that have occurred since the last publication of the basic blacklist are written to the delta blacklist, which is published at shorter intervals.

A base revocation list can therefore have several delta revocation lists associated with it. When publishing certificate revocation lists, you have the choice of publishing the base revocation list or a new delta revocation list.

If delta revocation lists are active, the base revocation list has an extension called "Freshest CRL" which contains the URL for downloading the delta revocation list.

If delta revocation lists are activated, a revocation status check is thus only possible if both the basic revocation list and an associated delta revocation list can be retrieved and are time valid.

Mapping in Microsoft Active Directory Certificate Services


The configuration of the blacklist validity is mapped in the registry under the following path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\{name-of-certification authority>
Registry valueDefault value

Default values

If you install a Microsoft Certification Authority with default settings, delta revocation lists are automatically enabled with the following settings:

Brevocation listParameterExplicitly configured valueEffective value
Basic revocation listValidity1 week1 week
Basic revocation listOverlap period0 hours12 hours
Delta revocation listValidity1 day1 day
Delta revocation listOverlap period0 minutes12 hours

As you can see, the values for the overlap periods are set to 0 in each case. However, this does not mean that the blacklist overlap is thus enabled. Rather, the certification authority applies default values of 12 hours. This results in the following validity periods in the default setting:

  • The basic blacklist is valid for 180 hours (1 week + 12 hours) and is renewed 12 hours before expiration.
  • The delta revocation list is valid for 36 hours (1 day + 12 hours) and is renewed 12 hours before expiration.

The Microsoft Certification Authority sets the issue date of the blacklists 10 minutes into the past in each case. Likewise, the end date is extended by 10 minutes. This procedure is intended to prevent possible problems with time synchronization between the participants.

On the usefulness of delta revocation lists

Most enterprises will never be embarrassed to revoke so many certificates that significant load situations could occur without delta revocation lists. De facto, most companies have not even implemented a resilient certificate revocation process.

The use of delta revocation lists can provide a security advantage (due to their usually very short validity periods), as certificate revocations become effective very quickly.

It should be noted, however, that the time required for emergency measures such as the establishment of an emergency blacklist in the event of a certification authority or hardware security module failure is equally drastically shortened by the use of delta blacklists.

Thus, the decision for or against delta revocation lists ultimately depends on the use cases employed. However, it can be said that the requirement for operability (operational stability) will generally take precedence over any certificate blocking that becomes effective at short notice.

An alternative to delta revocation lists can be the use of an Online Responder (OCSP) . However, this service is only suitable for improving efficiency.

Disable delta revocation lists

In many cases, it may make sense to deactivate the delta revocation lists and instead prefer to work with larger overlap periods of the basic revocation list.

Deactivate via the registry

If you set the "CRLDeltaPeriodUnits" in the registry to the value 0 and then restart the certification authority, it will no longer issue delta revocation lists.

certutil -setreg CA\CRLDeltaPeriodUnits 0
net stop certsvc
net start certsvc

It is advisable to issue a new base revocation list directly, which no longer refers to a delta revocation list, i.e. no longer has a "Freshest CRL" extension.

certutil -crl

However, deactivating the delta revocation lists via the registry has the disadvantage that there may be problems with certificate revocation lists cached at the subscribers. They may continue to use the old base revocation list until it expires, but they can no longer access an associated valid delta revocation list because these are no longer issued.

Therefore, it is advisable to always disable delta revocation lists via the Certification Authority Management Console.

Disable via the Certification Authority Management Console

In the Certificate Authority Management Console, delta revocation lists can be configured by right-clicking on the revoked certificates folder.

If the "Publish Delta CRLs" checkbox is removed, the certification authority will no longer issue new delta revocation lists.

However, something additional is happening behind the scenes. The certification authority immediately issues a new basic revocation list (pictured on the left), which no longer includes a "Freshest CRL" extension. In addition, however, a delta blacklist (pictured right) is issued one last time, which has the same expiration date as the base blacklist.

This prevents subscribers from encountering the inconsistent situation described earlier and from being unable to check certificates for their revocation status.

Related links:

External sources