CRL configuration facts
When a certificate is presented while a CRL download is in progress and that the cached CRL has become stale or is not present, the acceptation or rejection of the certificate is subject to the policy enforcement of CRL configuration.
When a CRL becomes stale, for example if the current time is ahead of the
nextUpdateTime
of the CRL, the CRL is deleted immediately.Once a successful TLS connection is established, even if the server certificate is revoked at a later time, the connection continues to exist until a renegotiation happens.
If a CRL download fails due to any reason (for example, the server is not reachable or the memory is not available), an event is recorded in the system log with the failure reason. Once you have resolved the failure issue, you must initiate a download.
You can download only one CRL at a time. If you initiate a request to fetch a CRL while a CRL download is already in progress, your request will be rejected.
The Cumulative Maximum storage allowed for CRLs in flash is 1 MB.
Only two CRL files are allowed in the system. Any fetch request beyond this limit is rejected and logged appropriately.
CRL fetch is supported only via LDAP. The CRL downloaded is of DER (binary) format.
If you delete an installed root-certificate when a CRL download for that profile is already in progress, the download will be uninterrupted. The downloaded CRL thereafter will be deleted once its lifetime expires (becomes stale).
When you configure a CRL URL for a given TA profile, it takes priority over the CDP server settings mentioned in the certificate.
You can configure two URLs per CRL/CDP LDAP servers and OCSP responders.
Standard TCP timeouts are applicable during CRL fetch or OCSP status fetch.
CRLs are also written into the non-volatile memory so that when a device reboots or failover and previously had a valid CRL, it will automatically be loaded from the non-volatile memory avoiding a re-fetch of the CRL. In addition, for every 24 hour period (per CRL file), a given CRL file is updated into the flash memory if there is any recent update to the last written state.