Skip to content

PKI Server CA CRL CLI

Endi S. Dewata edited this page Aug 23, 2023 · 6 revisions

Overview

The pki-server ca-crl-* commands provide an interface to manage the CRL configuration in CA.

Availability: Since PKI 11.5.

Displaying CRL Configuration

$ pki-server ca-crl-show
  Page Size: 100

Listing CRL Issuing Points

$ pki-server ca-crl-ip-find
  ID: MasterCRL
  Description: CA's complete Certificate Revocation List
  Class: com.netscape.ca.CRLIssuingPoint
  Enable: true

Displaying CRL Issuing Point Configuration

$ pki-server ca-crl-ip-show MasterCRL
  ID: MasterCRL
  Description: CA's complete Certificate Revocation List
  Class: com.netscape.ca.CRLIssuingPoint
  Enable: true
  Allow Extensions: true
  Always Update: false
  Auto Update Interval (minutes): 240
  CA Certs Only: false
  Cache Update Interval (minutes): 15
  Unexpected Exception Wait Time (minutes): 30
  Unexpected Exception Loop Max: 10
  Daily Updates: 1:00
  Enable CRL Cache: true
  Enable CRL Updates: true
  Enable Cache Testing: false
  Enable Cache Recovery: true
  Enable Daily Updates: true
  Enable Update Interval: true
  Extended Next Update: true
  Include Expired Certs: false
  Min Update Interval (minutes): 0
  Next Update Grace Period (minutes): 0
  Publish On Start: false
  Save Memory: false
  Signing Algorithm: SHA256withRSA
  Update Schema: 1

Modifying CRL Issuing Point Configuration

$ pki-server ca-crl-ip-mod \
    --desc "Master CRL" \
    --class com.example.ca.CRLIssuingPoint \
    --enable false \
    -D alwaysUpdate=true \
    -D autoUpdateInterval=5 \
    MasterCRL

See also Configuring CRL.

Clone this wiki locally