# Enabling CRL {% hint style="danger" %} You do **NOT** need to enable CRL for SCEPman. By default, SCEPman uses OCSP for revocation. {% endhint %} SCEPman primarily relies on OCSP to check a certificates' revocation status as OCSP allows for real time revocation, making it the ideal protocol for dynamic working environments. In contrast, CRL operates on scheduled updates, limiting its effectiveness in time-sensitive scenarios. However, CRL continues to be useful for legacy systems and application or as a fallback when OCSP is not available. {% hint style="warning" %} The CRL will not contain certificates that have been auto-revoked, only certificates that have been explicitly revoked in the Certificate Master {% endhint %} ## Guide {% stepper %} {% step %} ### Navigate to your Environment Variables Azure > App Services > SCEPman App Service (not Certificate Master) > Settings > Environment Variables
{% endstep %} {% step %} ### Add Environment Variables Please note Linux App Service Plans use a double underscore (\_\_) instead of a colon (:). For example: AppConfig\_\_CRL\_\_RequestToken
SettingDescriptionValue
AppConfig:CRL:RequestToken

Defines the URL of the CRL. The CRL is available in both DER and PEM


DER: https://yourscepman.azurewebsites.net/crl/{RequestToken}

PEM: https://yourscepman.azurewebsites.net/crl/pem/{RequestToken}

Example: https://yourscepman.azurewebsites.net/crl/12345678

24 character string
AppConfig:CRL:SourceConnects the CRL to your Azure Storage accountStorage
AppConfig:CRL:AddCdpAdds a CRL Distribution Point to issued certificatestrue
AppConfig:CRL:ValidityDaysThe numbers of days that an issued CRL is validFloating Point
Example 0.1 days = 2.4 hours
{% endstep %} {% step %} ### Apply Environment Variables Press Apply after Environment Variables have been added.
{% endstep %} {% step %} ### Restart SCEPman App Service New Environment Variables are applied after the SCEPman App Service is restarted
{% endstep %} {% step %} ### Test CRL Navigate to your CRL using the previously set Request Token in the format of https\://*yourscepman*.azurewebsites.net/crl/**{RequestToken}**
If setup correctly, your CRL will be downloaded:
{% endstep %} {% step %} ### Use CRL with Applications or Systems Once enabled, ensure your applications or systems are configured to check the CRL during certificate validation to prevent the use of revoked certificates. Some systems allow CRL as a fallback option in the case OCSP is unavailable Other systems **only** allow CRL for revocation such as CBA for Entra, please see our guide here: {% content-ref url="/pages/n9Tix1OmppMKK19BvAcT" %} [Certificate-based Authentication for Entra ID](/scepman-deployment/deployment-guides/scenarios/certificate-based-authentication-for-entra-id.md) {% endcontent-ref %} {% endstep %} {% endstepper %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.scepman.com/certificate-management/manage-certificates/enabling-crl.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.