I am trying to suggest a CRL publishing period for a Microsoft CA, the user certificates are going to be used for digital signature.There can be cases that a user certificate may be revoked.
Normally what is the period to define , so that I can check in that period.
Currently they have set it to a month to publish the next crl for s-ca
Best Answer
How have you structured your CAs, a single CA, or many CAs? How quickly do you need certificates to be revoked? How are you using the certificates?
If you are using the certificate for AD authentication, in the case of a serious emergency, you can temporarily disable the account if you believe a certificate for that account has been compromised.
If you have a stand-alone offline CA that only issues certificates to a subordinate CA, then the publishing period for that offline most likely can pretty long. You want a longer time so you don't have to go to a huge effort of booting up the offline server to publish a CRL frequently. You might choose a longer period.
If you are talking about CA that is online and actively issuing certificates I would go with a shorter period. You don't want to go to a validity period to be shorter then it takes for full replication of your AD, and you don't want to be shorter then the time it would take to rebuild/restore your CA if the hardware failed.
It really depends a lot on what your exact requirements are. If you can automate the CRL publishing, and your CAs are reliable, then a shorter period will make it much less likely that a revoked certificate can be used.
If you haven't read them yet, please see these Microsoft articles.