CA and CRL time limits also need to be adjusted. This can be done using the following command:
certutil -setreg CACRLPeriodUnits 7
certutil -setreg CACRLPeriod "Days"
certutil -setreg CACRLOverlapPeriodUnits 3
certutil -setreg CACRLOverlapPeriod "Days"
certutil -setreg CACRLDeltaPeriodUnits 0
certutil -setreg caValidityPeriodUnits 3
certutil -setreg caValidityPeriod "Years"
Once all this is done, in order to complete the configuration, restart the certificate service using the following command:
restart-service certsvc
Last but not the least, run the following command:
certutil -crl
Once all done, to generate CRLs, we can run PKIView.msc to verify the configuration:
PKIView.msc was first introduced with Windows 2003, and it gives visibility over enterprise PKI configuration. It also verifies the certificates and CRL for each CA to maintain the integrity.