In some cases, a CA must revoke a certificate before the certificate’s validity period expires. When a certificate is revoked, the CA includes the serial number of the certificate and the reason for the revocation in the CRL.
A relying party should reject a certificate that is revoked.
Windows Server 2008 supports the issuance of two types of CRLs: base CRLs and delta CRLs.
A base CRL contains the serial numbers of all certificates revoked on a CA that are still time valid, as well as the reason for each revocation. A base CRL contains all time-valid revoked certificates signed by a CA’s specific private ...