• Export or import a certificate
• Publish CRLs accessible via the web (HTTP)

7. Publish a delta revocation list (delta CRL)

To avoid that your clients have to re-download the full revocation list (CRL) each time or to make the revocation detected faster (since delta CRLs are published more frequently, by default), you have the option to publish manually a delta revocation list (delta CRL) instead of a full revocation list (CRL).

7.1. Using a new certificate

For this tutorial, we issued a new certificate to our web server.
This new certificate is therefore valid.

Here is the serial number of this new certificate.

7.2. Revoke certificate

To revoke the certificate, open the "Certification Authority" console and go to the "Issued Certificates" section.

If necessary, double-click the desired certificate to ensure that it's the correct certificate to revoke.

To be sure, you can look at its serial number.

Revoke this certificate by right-clicking "All Tasks -> Revoke Certificate" on it.

Choose the reason you want to specify for the revocation of this certificate, as well as the date from which this revocation should take effect.
Default, now.

The revoked certificate disappears from the list of issued certificates.

The revoked certificate appears in the list of revoked certificates.

7.3. Publish delta revocation list (delta CRL)

To let your servers and client workstations know that this certificate has been revoked, you must publish its serial number in a revocation list (CRL) or a delta revocation list (delta CRL).

To do this, right-click "All Tasks -> Publish" on the "Revoked Certificates" folder.

This time, we will publish a delta revocation list (delta CRL).
To do this, select "Delta CRL only" and click OK.

To verify that the publication has taken place, right-click on the "Revoked Certificates" folder.
Then, in the "View CRL" tab, click the "View CRL" button (at the bottom of the window).

In the "Certificate Revocation List" window that appears, go to the "Revocation List" tab.

The serial number of the certificate you just revoked appears in the list of revoked certificates in this certificate revocation list.

As expected, on the client side, access to the protected service with this revoked certificate will be blocked.

On some client workstations, it's again possible that access is still possible despite the associated certificate having been revoked in the meantime.

If so, clear your web browser's cache.

Then, empty the revocation cache of your client workstation by running the command below.

Batch

certutil -setreg chain\ChainCacheResyncFiletime @now

Now, access to the associated service will be blocked and the error "This organization certificate has been revoked" will appear.