1

I need to import CRL files to a Bastion server that is not part of my environments domain. The CRL files are updated every few days so a new copy needs to be imported to the local cert store on the Bastion frequently.

I noticed when I do a fresh import of a new CRL old copies are not overwritten or deleted, a new copy is just added to the list. I'd like to run a script that will first delete the old CRL files in the Trusted Root CA and Intermediate CA CRLs store.

enter image description here

I haven't found a method to delete outdated/expired CRLs using certmgr, certutil or powershell. I need a way to script this so its automated. Has anybody found a way to do this? Any help would be appreciated!

jrd1989
  • 698
  • 15
  • 48

2 Answers2

0

It's easy with certutil:

certutil -delstore Root <CRLHash>
certutil -delstore CA <CRLHash>

Unfortunately, PowerShell and .NET don't provide built-in means to enumerate CRLs in the store, nor they support CRL objects. If you need totally controlled approach, then you will have to p/invoke Win32 functions: https://docs.microsoft.com/en-us/windows/win32/seccrypto/cryptography-functions#certificate-and-certificate-store-functions, which is a large amount of programming work.

Crypt32
  • 6,639
  • 1
  • 15
  • 33
0

Powershell: List (I am listing by issuer but you can tweak), one to delete.

Get list of all CRL hashes in CA store:

$crlHashes = ls HKLM:\Software\Microsoft\SystemCertificates\CA\CRLs | %{$_.name.split(" \ ")[6]}

Associate the hash with issuer so you know where it came from:

$crlHashes | foreach-object {Write-Host; Write-Host "Hash: $"; certutil -store CA $ | findstr Issuer}

Then decide which ones to delete with the same command posted earlier:

certutil -delstore CA < hash >

Then you can automate with an if/then with something like "if issuer = < someone >, then delete"

rccg94
  • 1
  • 1