Certificate Management Service provides the certificate revocation list (CRL) feature. You can use the feature to view the information about revoked certificate authority (CA) certificates. This topic describes how to enable the CRL feature and how to view and obtain a CRL.

Limits

  • The CRL feature is supported only by intermediate CAs that issue client or server certificates.
  • The CRL feature is not supported by CAs that are enabled by uploading CA certificate files and private key files.

Usage notes

Before you enable the CRL feature, take note of the following items:
  • You can enable the CRL feature only when you enable a CA. If you want to enable the CRL feature after a CA is enabled, contact Alibaba Cloud technical support. join the DingTalk group numbered 32435999 to consult technical experts.
  • If a CA for which the CRL feature is enabled is revoked, the CRL of the CA is no longer updated after the revocation.
  • If a CA for which the CRL feature is enabled expires or is deleted, the CRL of the CA is no longer updated and cannot be accessed after the expiration or deletion.
  • A certificate that is issued by calling an operation in OpenAPI Explorer does not have the cRLDistributionPoints extension.

Enable the CRL feature

You can enable the CRL feature only when you enable an intermediate CA.

  1. Log on to the Certificate Management Service console.
  2. In the left-side navigation pane, click Private Certificates.
  3. On the Private Certificates page, click the Private CAs tab. Find the private intermediate CA that you want to enable and click Enabled in the Actions column.
  4. In the CA Information panel, click the Enable icon to enable the CRL feature.
    For more information about the parameters that are required to enable a private CA, see Purchase and enable a private CA. Enable CRL

View the status of the CRL feature

  1. Log on to the Certificate Management Service console.
  2. In the left-side navigation pane, click Private Certificates.
  3. On the Private Certificates page, click the Private CAs tab. Find the intermediate CA that you want to manage and click Details in the Actions column. Details
  4. In the Details panel, view the value of the CRL Status parameter.

Obtain the most recent CRL

This section describes the methods that you can use to obtain the most recent CRL of a CA. If the CA does not support the CRL feature or the CRL feature is not enabled for the CA, you cannot obtain the CRL of the CA.

Obtain the CRL in the Certificate Management Service console

  1. Log on to the Certificate Management Service console.
  2. In the left-side navigation pane, click Private Certificates.
  3. On the Private Certificates page, click the Private CAs tab. Find the intermediate CA that you want to manage and click Download CRL in the Actions column.

Obtain the CRL in the cRLDistributionPoints extension of a client or server certificate

You can directly access the URL that is specified in the cRLDistributionPoints extension of a certificate to obtain the file of the most recent CRL of the intermediate CA that issues the certificate. The cRLDistributionPoints extension is defined in RFC 5280.

Obtain the CRL by calling an operation

You can call the DescribeCACertificate operation to obtain the CRL of a CA and obtain the URL to the CRL from the Certificate.CrlUrl response parameter. For more information, see DescribeCACertificate.