1

I need to import CRL files to a Bastion server that is not part of my environments domain. The CRL files are updated every few days so a new copy needs to be imported to the local cert store on the Bastion frequently.

I noticed when I do a fresh import of a new CRL old copies are not overwritten or deleted, a new copy is just added to the list. I'd like to run a script that will first delete the old CRL files in the Trusted Root CA and Intermediate CA CRLs store.

enter image description here

I haven't found a method to delete outdated/expired CRLs using certmgr, certutil or powershell. I need a way to script this so its automated. Has anybody found a way to do this? Any help would be appreciated!

jrd1989
  • 628
  • 10
  • 35

1 Answers1

0

It's easy with certutil:

certutil -delstore Root <CRLHash>
certutil -delstore CA <CRLHash>

Unfortunately, PowerShell and .NET don't provide built-in means to enumerate CRLs in the store, nor they support CRL objects. If you need totally controlled approach, then you will have to p/invoke Win32 functions: https://docs.microsoft.com/en-us/windows/win32/seccrypto/cryptography-functions#certificate-and-certificate-store-functions, which is a large amount of programming work.

Crypt32
  • 6,414
  • 1
  • 13
  • 32