# CRL Validity Period

This health check monitors the validity status of Certificate Revocation Lists (CRLs) for each issuer and returns a list of findings. Unlike CA expiry checks (which rely on static durations), CRL checks use a percentage-based approach, as CRLs are easier to rotate and manage.

#### Health Check Name: **`crl_validity_period`**

#### Accessed APIs

| Method | Endpoint                        | Authentication  |
| ------ | ------------------------------- | --------------- |
| LIST   | `/issuers`                      | Unauthenticated |
| READ   | `/config/crl`                   | Optional        |
| READ   | `/issuer/:issuer_ref/crl`       | Unauthenticated |
| READ   | `/issuer/:issuer_ref/crl/delta` | Unauthenticated |

#### Configuration Parameters

| Parameter                       | Type | Default | Description                                                                                      |
| ------------------------------- | ---- | ------- | ------------------------------------------------------------------------------------------------ |
| `crl_expiry_pct_critical`       | int  | 95      | Percentage of CRL validity period after which the CRL is considered critically close to expiry.  |
| `delta_crl_expiry_pct_critical` | int  | 95      | Percentage of Delta CRL validity period after which it is considered critically close to expiry. |

#### Health Check Results&#x20;

| Condition                                                            | Result            | Description                                                              |
| -------------------------------------------------------------------- | ----------------- | ------------------------------------------------------------------------ |
| CRL validity period exceeds the critical threshold                   | **Critical**      | CRL is considered critically close to expiry.                            |
| CRL validity period exceeds the threshold but is within grace period | **Informational** | The CRL is nearing expiry, but within the configured grace period.       |
| CRL auto-rebuild is not enabled                                      | **Suggestion**    | Health check recommends enabling auto-rebuild for better CRL management. |

#### Recommended Actions

1. Enable CRL auto-rebuild to ensure CRLs are automatically regenerated before expiry:

   ```bash
   vhsm write <mount>/config/crl auto_rebuild=true
   ```
2. Review and adjust critical thresholds to match your operational needs.
3. Ensure Delta CRLs are consistently maintained, especially in security-sensitive deployments.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enclaive.cloud/virtual-hsm/troubleshooting/crl-validity-period.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.