Configuring Certificate Revocation Lists for a Managed CA

To manage the CRLs of a managed CA, you first need to set up a CRL Policy:

1. Log in to the Stream Administration Interface.

2. Go to Certification Authorities > Managed CAs and click on edit_external_ca next to the name of the CA you want to edit the CRL policy of.

3. Go under the CRL/OCSP tab.

4. First, you need to define the validity period of your CRL, i.e. the period of time while your CRL is considered valid. The countdown starts at the moment the CRL is generated. If you want your CRLs to be valid for a week, you can type 7 days.

5. You can then automate the CRL generation using either the Hard CRL generation, the Lazy CRL generation or both of them in combination:

  • The Hard CRL generation parameter takes a cron expression in Quartz format and generates the CRL every time that cron expression is valid, without any condition. It is recommended to generate the CRLs every day. To generate a new CRL every day at 1 A.M., the cron expression is: 0 0 1 * * ?

  • The Lazy CRL generation parameter takes a cron expression in Quartz format and checks if the CRL needs to be updated, i.e. if a certificate has been revoked, since the last CRL generation. If a certificate has been revoked since the last generation then a new CRL will then be generated, otherwise it will do nothing. It is recommended to have a short time span for the lazy generation so that the CRL always stays up to date. To check for possible CRL updates every 5 minutes, the cron expression is: 0 0/5 * * * ?

Stream managed CA CRL policy

6. Click the Save button at the top of the page.

Now your CRL policy has been configured, and you’ve been redirected to the Managed CAs page.

You can then generate manually the CA’s first CRL using the generate_crl button next to the CA’s name that you just configured. If you configured the Hard or the Lazy generation, your CRL will then automatically be updated according to the cron quartz expression you specified.

7. Additionally, if you want to push the CRL into other storages, click edit_managed_ca on the managed CA ;

7.1 In the Configuration tab, select one or several previously created external storages from the drop-down menu:

  • On CRL generation: this will be triggered every time a new CRL is generates (manually or via the configuration at step 5).

  • On CRL sync: this will trigger every 15 minutes to ensure CRL is up to date on the storage, and push the new one if needed

7.2 Click the Save button at the top.

The CRL should now also be pushed in other storages. Note that the CRL will still be accessible from the standard Stream CRLDP.