CRL Validity Period
Perform the recommended actions based on the status of the CRL validity period that was reported by PKI health check.
This health check monitors the validity status of Certificate Revocation Lists (CRLs) for each issuer and returns a list of findings. Unlike CA expiry checks (which rely on static durations), CRL checks use a percentage-based approach, as CRLs are easier to rotate and manage.
Health Check Name: crl_validity_period
crl_validity_periodAccessed APIs
LIST
/issuers
Unauthenticated
READ
/config/crl
Optional
READ
/issuer/:issuer_ref/crl
Unauthenticated
READ
/issuer/:issuer_ref/crl/delta
Unauthenticated
Configuration Parameters
crl_expiry_pct_critical
int
95
Percentage of CRL validity period after which the CRL is considered critically close to expiry.
delta_crl_expiry_pct_critical
int
95
Percentage of Delta CRL validity period after which it is considered critically close to expiry.
Health Check Results
CRL validity period exceeds the critical threshold
Critical
CRL is considered critically close to expiry.
CRL validity period exceeds the threshold but is within grace period
Informational
The CRL is nearing expiry, but within the configured grace period.
CRL auto-rebuild is not enabled
Suggestion
Health check recommends enabling auto-rebuild for better CRL management.
Recommended Actions
Enable CRL auto-rebuild to ensure CRLs are automatically regenerated before expiry:
vhsm write <mount>/config/crl auto_rebuild=trueReview and adjust critical thresholds to match your operational needs.
Ensure Delta CRLs are consistently maintained, especially in security-sensitive deployments.
Last updated
Was this helpful?