Enabling CRL
A Certificate Revocation List (CRL) is a record that contains certificates that have been explicitly revoked.
You do NOT need to enable CRL for SCEPman. By default, SCEPman uses OCSP for revocation.
SCEPman primarily relies on OCSP to check a certificates' revocation status as OCSP allows for real time revocation, making it the ideal protocol for dynamic working environments. In contrast, CRL operates on scheduled updates, limiting its effectiveness in time-sensitive scenarios.
However, CRL continues to be useful for legacy systems and application or as a fallback when OCSP is not available.
The CRL will not contain certificates that have been auto-revoked, only certificates that have been explicitly revoked in the Certificate Master
Add Environment Variables
Add the following Environment Variables:
Defines the URL of the CRL. The CRL is available in both DER and PEM
DER: https://yourscepman.azurewebsites.net/crl/{RequestToken}
PEM: https://yourscepman.azurewebsites.net/crl/pem/{RequestToken} Example: https://yourscepman.azurewebsites.net/crl/12345678
24 character string
The numbers of days that an issued CRL is valid
Floating Point Example 0.1 days = 2.4 hours
Use CRL with Applications or Systems
Once enabled, ensure your applications or systems are configured to check the CRL during certificate validation to prevent the use of revoked certificates. Some systems allow CRL as a fallback option in the case OCSP is unavailable
Other systems only allow CRL for revocation such as CBA for Entra, please see our guide here:
Certificate-based Authentication for Entra IDLast updated
Was this helpful?