One of the problems of large scale PKI deployments such as DOD and others is the effect on large distributed networks by ever growing CRLs. CRLs are lists of revoked certificates and in a classic deployment are required everywhere a machine or person uses a certificate in order to verify that the certificate is still valid. In large deployments with thousands of servers and workstations this list can grow quickly to be MegaBytes in size and the effect of pushing this to every machine is a nightmare. Of course OCSP can be used to alleviate this problem but it is worth examining the previous post in this light.

In the previous post a hidden technique was used to ensure Microsofts 2003 Enterprise CA generated Serial Numbers in a more “Serial” way. The technique is as follows:

certutil –delreg ca\HighSerial

certutil –setreg ca\HighSerial “3d”

If we look at the output serial numbers:

It’s also clear to see that the number of bytes used drops from 10 to 7 a saving of 30%. The impact on CRL size is clear with upto 40% savings documented by the likes of CoreStreet.

It is therefore obvious that this technique might be a useful tool in the armoury of anyone deploying a Microsoft PKI


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s