search

Enabling CRL

A Certificate Revocation List (CRL) is a record that contains certificates that have been explicitly revoked.

triangle-exclamation

You do NOT need to enable CRL for SCEPman. By default, SCEPman uses OCSP for revocation.

SCEPman primarily relies on OCSP to check a certificates' revocation status as OCSP allows for real time revocation, making it the ideal protocol for dynamic working environments. In contrast, CRL operates on scheduled updates, limiting its effectiveness in time-sensitive scenarios.

However, CRL continues to be useful for legacy systems and application or as a fallback when OCSP is not available.

circle-exclamation

The CRL will not contain certificates that have been auto-revoked, only certificates that have been explicitly revoked in the Certificate Master

1

hashtag
Navigate to your Environment Variables

Azure > App Services > SCEPman App Service (not Certificate Master) > Settings > Environment Variables

2

hashtag
Add Environment Variables

Add the following Environment Variables:

Setting
Description
Value

AppConfig:CRL:RequestToken

Defines the URL of the CRL. The CRL is available in both DER and PEM

DER: https://yourscepman.azurewebsites.net/crl/{RequestToken}

PEM: https://yourscepman.azurewebsites.net/crl/pem/{RequestToken} Example: https://yourscepman.azurewebsites.net/crl/12345678

24 character string

AppConfig:CRL:Source

Connects the CRL to your Azure Storage account

Storage

AppConfig:CRL:AddCdp

Adds a CRL Distribution Point to issued certificates

true

AppConfig:CRL:ValidityDays

The numbers of days that an issued CRL is valid

Floating Point Example 0.1 days = 2.4 hours

3

hashtag
Apply Environment Variables

Press Apply after Environment Variables have been added.

4

hashtag
Restart SCEPman App Service

New Environment Variables are applied after the SCEPman App Service is restarted

5

hashtag
Test CRL

Navigate to your CRL using the previously set Request Token in the format of https://yourscepman.azurewebsites.net/crl/{RequestToken}

If setup correctly, your CRL will be downloaded:

6

hashtag
Use CRL with Applications or Systems

Once enabled, ensure your applications or systems are configured to check the CRL during certificate validation to prevent the use of revoked certificates. Some systems allow CRL as a fallback option in the case OCSP is unavailable

Other systems only allow CRL for revocation such as CBA for Entra, please see our guide here:

Certificate-based Authentication for Entra IDchevron-right

Last updated

Was this helpful?