CRL Validity Period

Perform the recommended actions based on the status of the CRL validity period that was reported by PKI health check.

This health check monitors the validity status of Certificate Revocation Lists (CRLs) for each issuer and returns a list of findings. Unlike CA expiry checks (which rely on static durations), CRL checks use a percentage-based approach, as CRLs are easier to rotate and manage.

Health Check Name: crl_validity_period

Accessed APIs

Method
Endpoint
Authentication

LIST

/issuers

Unauthenticated

READ

/config/crl

Optional

READ

/issuer/:issuer_ref/crl

Unauthenticated

READ

/issuer/:issuer_ref/crl/delta

Unauthenticated

Configuration Parameters

Parameter
Type
Default
Description

crl_expiry_pct_critical

int

95

Percentage of CRL validity period after which the CRL is considered critically close to expiry.

delta_crl_expiry_pct_critical

int

95

Percentage of Delta CRL validity period after which it is considered critically close to expiry.

Health Check Results

Condition
Result
Description

CRL validity period exceeds the critical threshold

Critical

CRL is considered critically close to expiry.

CRL validity period exceeds the threshold but is within grace period

Informational

The CRL is nearing expiry, but within the configured grace period.

CRL auto-rebuild is not enabled

Suggestion

Health check recommends enabling auto-rebuild for better CRL management.

  1. Enable CRL auto-rebuild to ensure CRLs are automatically regenerated before expiry:

    vhsm write <mount>/config/crl auto_rebuild=true
  2. Review and adjust critical thresholds to match your operational needs.

  3. Ensure Delta CRLs are consistently maintained, especially in security-sensitive deployments.

Last updated

Was this helpful?