Maximum Size of CRL

crl

Is there a CRL size that is beyond a practical limit? I did not find anything in the RFC. Is there any limit at all on the size of CRLs?

Best Answer

I don't think there is a size limit, though other practical and security limitations should limit their size. The largest I've seen was one from Thawte at ~5MB. Most CRLs are distributed with Delta locations so clients don't need to constantly pull the whole thing.

Related Solutions

Windows – Reset local Certificate Revocation List (CRL) manual

How large is the certificate OCSP and CRL cache in the Windows server

Monitoring the cache size is important when any PKI application needs to verify the CRL of several certificates. AD for example will consume 100MB of RAM for 50,000 OCSP users vs 4MB when using the CRL method of validating users' certificates. reference

There are two types of caches, disk and memory. Although this doesn't directly answer the question perhaps the size of the disk cache will help one infer the size of the memory cache

The CRL disk cache size is found by typing the command

 certutil -urlcache crl

...and multiplying by 80 bytes per entry

The OCSP disk cache size is found by typing

 certutil -urlcache ocsp

and multiply the entry count by 2 kilobytes (KBs).

Best Answer

Related Solutions

Windows – Reset local Certificate Revocation List (CRL) manual

How large is the certificate OCSP and CRL cache in the Windows server

Related Topic