I would like to schedule a task to sign the current CRL with a longer validity period. This CRL would only be published if the CA was down and more time was needed to fix the problem than what the current CRL is valid. We use an HSM, so the signing has to take place on the CA.
I have tried using the Certutil -sign <CRL> <NewCRL> <time> command, but that opens a window where the certificate needs to be selected for signing. So, that prevents automating the signing. I don't see a way to pass the certificate information.
I was wondering if anyone else had found a way to do this, maybe in C# or PowerShell.