Configuring Key Revocation Lists for a Managed CA
To manage the KRLs of a managed CA, you first need to set up a KRL Policy:
1. Log in to the Stream Administration Interface.
2. Go to OpenSSH > Certification Authorities and click on 
next to the name of the CA you want to edit the KRL policy of.
3. Define the validity period of your KRL, i.e. the period of time while your KRL is considered valid. The countdown starts at the moment the KRL is generated. If you want your KRLs to be valid for a week, you can type 7 days.
4. You can then automate the KRL generation using either the Hard KRL generation, the Lazy KRL generation or both of them in combination:
-
The Hard KRL generation parameter takes a cron expression in Quartz format and generates the KRL every time that cron expression is valid, without any condition. It is recommended to generate the KRLs every day. To generate a new KRL every day at 1 A.M., the cron expression is: 0 0 1 * * ?
-
The Lazy KRL generation parameter takes a cron expression in Quartz format and checks if the KRL needs to be updated, i.e. if a certificate has been revoked, since the last KRL generation. If a certificate has been revoked since the last generation then a new KRL will then be generated, otherwise it will do nothing. It is recommended to have a short time span for the lazy generation so that the KRL always stays up to date. To check for possible KRL updates every 5 minutes, the cron expression is: 0 0/5 * * * ?
5. Click the Save button at the top of the page.
Now your KRL policy has been configured, and you’ve been redirected to the Managed CAs page.
You can then generate manually the CA’s first KRL using the 
button next to the CA’s name that you just configured.
If you configured the Hard or the Lazy generation, your KRL will then automatically be updated according to the cron quartz expression you specified.