About certificate revocation lists
Certificate revocation list (CRL) management settings are under Optimization > SSL: CRL Management. Configure on server-side appliances.
CRL management settings for common CAs
CRLs are lists of digital certificates that have been revoked by their Certificate Authorities (CAs) before their expiration dates and should no longer be trusted. CAs issue digitally signed CRLs on a regular basis, and users can retrieve them as needed. These lists are often made available through CRL Distribution Points (CDPs).
Regularly checking CRLs helps maintain the integrity and security of digital certificates. To support this, you can enable polling on your appliance so it automatically checks CRLs during certificate handshake verifications and regularly checks for updates.
Polling can be enabled for:
• common and configured CAs listed under Optimization > SSL: Certificate Authorities
• peer CAs listed under Optimization > SSL: Secure Peering (SSL)
You can also choose to make handshakes fail if the appliance can’t find the required CRL. This setting applies to both common and peering CAs.
When CRL distribution points are discovered automatically, they’re added to a list where you can view detailed information like URIs, CRL details, and access history. You can also manually override any CDP information. Keep in mind, not all CAs use CDPs, so only a subset of CAs will appear in this list.
Similarly, automatically discovered CRLs are also added to a list, and you can manually manage these entries by selecting or removing them as needed.