Configure the following Certificate Revocation List (CRL) configuration parameters.

Mandatory: When Certificates Source is CRL.

Use SN Lists

(tick)  to use certificate serial number lists, (error)  otherwise. Set this value to (tick)  when selecting one of the following profile identifiers in the OCSP Responder tab.

  • SNListProfile
  • SNListProfileWithArchiveCutOff 

Validation Authority will pull a serial number list and return the following status for certificates.

Certificate status

The certificate is in the CRL 

The certificate is in the SNL

good


(tick)

revoked

(tick)

(tick)

unknown



Mandatory: Yes.

CRL Host Server

The type of server hosting the CRL.

  • HTTP
  • LDAP

Mandatory: Yes.

CRL warning time

The period during which to enable the expiration warning for the last processed CRL. When the time remaining before the CRL expiration is shorter than this parameter value, the CRLExpirationWarning metric is set to 1.

Mandatory: No. This optional value defaults to 4 hours.

Wait on error duration

The waiting time before retrying a failed connection with the CRL server, the Status Feeder internal service or the serial number list server.

Mandatory: No. This optional value defaults to "5s".

Wait to pull certs duration

The period between:

  • The last upload of the CRL data into the database.
  • The next request to the CRL server. 

When Use SN Lists is (tick) , Validation Authority will pull the CRL and the serial number list.

Mandatory: Yes.