When a private certificate authority (CA) issues a certificate that is later compromised or must be invalidated before its expiration date, you need a reliable way to communicate that revocation to clients. Certificate Management Service supports certificate revocation lists (CRLs) for private CAs, giving clients a distributable, standards-based mechanism to reject revoked certificates immediately.
This topic explains how to enable CRL, check its status, and retrieve the latest CRL.
Limitations
Before enabling CRL, verify that your setup meets the following requirements:
| Limitation | Detail |
|---|---|
| CA creation method | CAs enabled by uploading CA certificate files and private key files do not support CRL |
| Enablement window | CRL can only be enabled when you enable a CA. To add CRL to an existing CA, contact your account manager |
| OpenAPI Explorer certificates | Certificates issued through OpenAPI Explorer do not include the cRLDistributionPoints extension |
CRL update behavior
| Condition | Effect |
|---|---|
| A certificate is revoked | The CRL of the issuing CA stops updating |
| A certificate expires or is deleted | The CRL of the issuing CA stops updating and becomes inaccessible |
Enable CRL
CRL can only be enabled when enabling a root CA or an intermediate CA.
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > PCA Certificate Management. Select the region where your PCA resides.
On the Private CAs tab, find the CA and click Enable in the Actions column.
In the CA Information panel, click the
icon to enable CRL.
For details about CA parameters, see Purchase and enable a private CA.
View CRL status
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > PCA Certificate Management. Select the region where your PCA resides.
On the Private CAs tab, find the CA and click
> Details in the Actions column.In the Details panel, check the CRL Status value.
Retrieve the latest CRL
If the CA does not support CRL or CRL is not enabled, retrieval is unavailable.
From the console
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > PCA Certificate Management. Select the region where your PCA resides.
On the Private CAs tab, find the CA and click
> Download CRL in the Actions column.
From the cRLDistributionPoints extension
Access the URL in the cRLDistributionPoints extension of a client or server certificate. This returns the latest CRL file for the intermediate CA that issued the certificate. The cRLDistributionPoints extension is defined in RFC 5280.
From the API
Call the DescribeCACertificate operation and get the CRL URL from the Certificate.CrlUrl response parameter. For details, see DescribeCACertificate.