# CRL Validity Period This health check monitors the validity status of Certificate Revocation Lists (CRLs) for each issuer and returns a list of findings. Unlike CA expiry checks (which rely on static durations), CRL checks use a percentage-based approach, as CRLs are easier to rotate and manage. #### Health Check Name: **`crl_validity_period`** #### Accessed APIs | Method | Endpoint | Authentication | | ------ | ------------------------------- | --------------- | | LIST | `/issuers` | Unauthenticated | | READ | `/config/crl` | Optional | | READ | `/issuer/:issuer_ref/crl` | Unauthenticated | | READ | `/issuer/:issuer_ref/crl/delta` | Unauthenticated | #### Configuration Parameters | Parameter | Type | Default | Description | | ------------------------------- | ---- | ------- | ------------------------------------------------------------------------------------------------ | | `crl_expiry_pct_critical` | int | 95 | Percentage of CRL validity period after which the CRL is considered critically close to expiry. | | `delta_crl_expiry_pct_critical` | int | 95 | Percentage of Delta CRL validity period after which it is considered critically close to expiry. | #### Health Check Results | Condition | Result | Description | | -------------------------------------------------------------------- | ----------------- | ------------------------------------------------------------------------ | | CRL validity period exceeds the critical threshold | **Critical** | CRL is considered critically close to expiry. | | CRL validity period exceeds the threshold but is within grace period | **Informational** | The CRL is nearing expiry, but within the configured grace period. | | CRL auto-rebuild is not enabled | **Suggestion** | Health check recommends enabling auto-rebuild for better CRL management. | #### Recommended Actions 1. Enable CRL auto-rebuild to ensure CRLs are automatically regenerated before expiry: ```bash vhsm write /config/crl auto_rebuild=true ``` 2. Review and adjust critical thresholds to match your operational needs. 3. Ensure Delta CRLs are consistently maintained, especially in security-sensitive deployments.