Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page

Was this helpful?

  1. Troubleshooting

CRL Validity Period

Perform the recommended actions based on the status of the CRL validity period that was reported by PKI health check.

This health check monitors the validity status of Certificate Revocation Lists (CRLs) for each issuer and returns a list of findings. Unlike CA expiry checks (which rely on static durations), CRL checks use a percentage-based approach, as CRLs are easier to rotate and manage.

Health Check Name: crl_validity_period

Accessed APIs

Method
Endpoint
Authentication

LIST

/issuers

Unauthenticated

READ

/config/crl

Optional

READ

/issuer/:issuer_ref/crl

Unauthenticated

READ

/issuer/:issuer_ref/crl/delta

Unauthenticated

Configuration Parameters

Parameter
Type
Default
Description

crl_expiry_pct_critical

int

95

Percentage of CRL validity period after which the CRL is considered critically close to expiry.

delta_crl_expiry_pct_critical

int

95

Percentage of Delta CRL validity period after which it is considered critically close to expiry.

Health Check Results

Condition
Result
Description

CRL validity period exceeds the critical threshold

Critical

CRL is considered critically close to expiry.

CRL validity period exceeds the threshold but is within grace period

Informational

The CRL is nearing expiry, but within the configured grace period.

CRL auto-rebuild is not enabled

Suggestion

Health check recommends enabling auto-rebuild for better CRL management.

Recommended Actions

  1. Enable CRL auto-rebuild to ensure CRLs are automatically regenerated before expiry:

    vhsm write <mount>/config/crl auto_rebuild=true
  2. Review and adjust critical thresholds to match your operational needs.

  3. Ensure Delta CRLs are consistently maintained, especially in security-sensitive deployments.

PreviousCA Validity PeriodNextRoot Certificate Issued Non-CA Leaves

Last updated 2 months ago

Was this helpful?