All Products
Search

This Product

    Certificate Management Service:Use the CRL feature

    Document Center

    Certificate Management Service:Use the CRL feature

    Last Updated:Aug 02, 2024

    Certificate Management Service provides the certificate revocation list (CRL) feature. You can use the feature to view the information about revoked certificate authority (CA) certificates. This topic describes how to enable the CRL feature and how to view and obtain a CRL.

    Feature description

    The CRL feature is not supported by CAs that are enabled by uploading CA certificate files and private key files.

    Usage notes

    Before you enable the CRL feature, take note of the following items:

    • You can enable the CRL feature only when you enable a CA. If you want to enable the CRL feature after a CA is enabled, contact your account manager.

    • If a certificate is revoked, the CRL of the CA from which the certificate is issued is no longer updated.

    • If a certificate expires or is deleted, the CRL of the CA from which the certificate is issued is no longer updated and cannot be accessed.

    • A certificate that is issued by calling an operation in OpenAPI Explorer does not have the cRLDistributionPoints extension.

    Enable the CRL feature

    You can enable the CRL feature only when you enable a root CA or an intermediate CA.

    1. Log on to the Certificate Management Service console.

    2. In the left-side navigation pane, choose Certificate Management > PCA Certificate Management. On the PCA Certificate Management page, select the region where your PCA resides.

    3. On the Private CAs tab, find the required private CA and click Enable in the Actions column.

    4. In the CA Information panel, click the 启用 icon to enable the CRL feature.

      For more information about the parameters that are required to enable a private CA, see Purchase and enable a private CA.

    View the status of the CRL feature

    1. Log on to the Certificate Management Service console.

    2. In the left-side navigation pane, choose Certificate Management > PCA Certificate Management. On the PCA Certificate Management page, select the region where your PCA resides.

    3. On the Private CAs tab, find the required CA and click image > Details in the Actions column.

    4. In the Details panel, view the value of the CRL Status parameter.

    Obtain the most recent CRL

    This section describes the methods that you can use to obtain the most recent CRL of a CA. If the CA does not support the CRL feature or the CRL feature is not enabled for the CA, you cannot obtain the CRL of the CA.

    Obtain the CRL in the Certificate Management Service console

    1. Log on to the Certificate Management Service console.

    2. In the left-side navigation pane, choose Certificate Management > PCA Certificate Management. On the PCA Certificate Management page, select the region where your PCA resides.

    3. On the Private CAs tab, find the required CA and click image > Download CRL in the Actions column.

    Obtain the CRL in the cRLDistributionPoints extension of a client or server certificate

    You can directly access the URL that is specified in the cRLDistributionPoints extension of a certificate to obtain the file of the most recent CRL of the intermediate CA that issues the certificate. The cRLDistributionPoints extension is defined in RFC 5280.

    Obtain the CRL by calling an operation

    You can call the DescribeCACertificate operation to obtain the CRL of a CA and obtain the URL to the CRL from the Certificate.CrlUrl response parameter. For more information, see DescribeCACertificate.