Configuring CRL - dogtagpki/pki GitHub Wiki

Enabling CRL

CRL is enabled by default in CA. To enable CRL manually:

$ pki-server ca-config-set ca.crl.MasterCRL.enable true
$ pki-server ca-config-set ca.crl.MasterCRL.enableCRLCache true
$ pki-server ca-config-set ca.crl.MasterCRL.enableCRLUpdates true
$ pki-server ca-config-set ca.transitRecordPageSize 200
$ pki-server ca-config-set ca.transitMaxRecords 1000000
$ pki-server ca-config-set ca.certStatusUpdateInterval 600

To enable delta CRL:

$ pki-server ca-config-set ca.crl.MasterCRL.extension.DeltaCRLIndicator.enable true

The server must be restarted.

Configuring CRL Number

To change the CRL number, execute the following command:

$ ldapmodify -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: cn=MasterCRL,ou=crlIssuingPoints,ou=ca,dc=ca,dc=pki,dc=dc=example,dc=com
changetype: modify
replace: crlNumber
crlNumber: <CRL number>
EOF

Then restart the server.

Miscellaneous CRL Configuration

ca.crl.pageSize=100
ca.crl.MasterCRL.allowExtensions=true
ca.crl.MasterCRL.alwaysUpdate=false
ca.crl.MasterCRL.caCertsOnly=false
ca.crl.MasterCRL.cacheUpdateInterval=15
ca.crl.MasterCRL.unexpectedExceptionWaitTime=30
ca.crl.MasterCRL.unexpectedExceptionLoopMax=10
ca.crl.MasterCRL.class=com.netscape.ca.CRLIssuingPoint
ca.crl.MasterCRL.description=CA's complete Certificate Revocation List
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
ca.crl.MasterCRL.enableCacheTesting=false
ca.crl.MasterCRL.enableCacheRecovery=true
ca.crl.MasterCRL.extendedNextUpdate=true
ca.crl.MasterCRL.includeExpiredCerts=false
ca.crl.MasterCRL.minUpdateInterval=0
ca.crl.MasterCRL.nextUpdateGracePeriod=0
ca.crl.MasterCRL.publishOnStart=false
ca.crl.MasterCRL.saveMemory=false
ca.crl.MasterCRL.signingAlgorithm=SHA256withRSA
ca.crl.MasterCRL.updateSchema=1

By default CRL will be generated even if there’s no revoked certificate:

ca.crl.MasterCRL.noCRLIfNoRevokedCert=false

Configuring CRL Update Frequency

See Configuring CRL Update Frequency.

Configuring CRL Extensions

See Configuring CRL Extensions.

Disabling CRL

$ pki-server ca-config-set ca-config-set ca.certStatusUpdateInterval 0
$ pki-server ca-config-set ca-config-set ca.listenToCloneModifications false
$ pki-server ca-config-set ca-config-set ca.crl.MasterCRL.enableCRLCache false
$ pki-server ca-config-set ca-config-set ca.crl.MasterCRL.enableCRLUpdates false
⚠️ **GitHub.com Fallback** ⚠️