CRL Validity Period

Perform the recommended actions based on the status of the CRL validity period that was reported by PKI health check.

This health check monitors the validity status of Certificate Revocation Lists (CRLs) for each issuer and returns a list of findings. Unlike CA expiry checks (which rely on static durations), CRL checks use a percentage-based approach, as CRLs are easier to rotate and manage.

Health Check Name: `crl_validity_period`

Accessed APIs

Method

Endpoint

Authentication

LIST

/issuers

Unauthenticated

READ

/config/crl

Optional

READ

/issuer/:issuer_ref/crl

Unauthenticated

READ

/issuer/:issuer_ref/crl/delta

Unauthenticated

Configuration Parameters

Parameter

Type

Default

Description

crl_expiry_pct_critical

int

Percentage of CRL validity period after which the CRL is considered critically close to expiry.

delta_crl_expiry_pct_critical

int

Percentage of Delta CRL validity period after which it is considered critically close to expiry.

Health Check Results

Condition

Result

Description

CRL validity period exceeds the critical threshold

Critical

CRL is considered critically close to expiry.

CRL validity period exceeds the threshold but is within grace period

Informational

The CRL is nearing expiry, but within the configured grace period.

CRL auto-rebuild is not enabled

Suggestion

Health check recommends enabling auto-rebuild for better CRL management.

Recommended Actions

Enable CRL auto-rebuild to ensure CRLs are automatically regenerated before expiry:
```
vhsm write <mount>/config/crl auto_rebuild=true
```
Review and adjust critical thresholds to match your operational needs.
Ensure Delta CRLs are consistently maintained, especially in security-sensitive deployments.

PreviousCA Validity Period NextRoot Certificate Issued Non-CA Leaves

Last updated 1 month ago

Was this helpful?

CRL Validity Period

Perform the recommended actions based on the status of the CRL validity period that was reported by PKI health check.

Health Check Name: `crl_validity_period`

Accessed APIs

Method

Endpoint

Authentication

LIST

/issuers

Unauthenticated

READ

/config/crl

Optional

READ

/issuer/:issuer_ref/crl

Unauthenticated

READ

/issuer/:issuer_ref/crl/delta

Unauthenticated

Configuration Parameters

Parameter

Type

Default

Description

crl_expiry_pct_critical

int

Percentage of CRL validity period after which the CRL is considered critically close to expiry.

delta_crl_expiry_pct_critical

int

Percentage of Delta CRL validity period after which it is considered critically close to expiry.

Health Check Results

Condition

Result

Description

CRL validity period exceeds the critical threshold

Critical

CRL is considered critically close to expiry.

CRL validity period exceeds the threshold but is within grace period

Informational

The CRL is nearing expiry, but within the configured grace period.

CRL auto-rebuild is not enabled

Suggestion

Health check recommends enabling auto-rebuild for better CRL management.

Recommended Actions

Enable CRL auto-rebuild to ensure CRLs are automatically regenerated before expiry:
```
vhsm write <mount>/config/crl auto_rebuild=true
```
Review and adjust critical thresholds to match your operational needs.
Ensure Delta CRLs are consistently maintained, especially in security-sensitive deployments.

PreviousCA Validity Period NextRoot Certificate Issued Non-CA Leaves

Last updated 1 month ago

Was this helpful?

Health Check Name: crl_validity_period

Accessed APIs

Configuration Parameters

Health Check Results

Recommended Actions

Health Check Name: crl_validity_period

Accessed APIs

Configuration Parameters

Health Check Results

Recommended Actions

Health Check Name: `crl_validity_period`

Health Check Name: `crl_validity_period`