Create a CRL
While creating a CRL for a CA, administrators can define which certificates the CRL covers, how the CRL is generated and published, and where relying parties can retrieve it.
To create a CRL in DigiCert® Private CA, select CRLs from the left menu, then select Create a CRL.
Then configure the CRL using the following steps:
Under Issuer, select the CA that will generate and publish this CRL.
Under CRL content, select which certificates the CRL lists.
All types of certificates: Creates a CRL that lists revoked end entity and subordinate CA certificates.
Only end-entity or CA certificates: Creates a revocation list for one certificate type. You then choose whether to create an end entity CRL or an authority revocation list (ARL).
Next, select a Publishing model based upon the selected CRL content.
If All types of certificates is selected, choose the publishing model:
Complete: Lists all revoked certificates that include a CRL distribution point (CDP) extension.
Partitioned: A complete CRL divided into multiple partitions for efficient distribution.
Full and complete: Lists all revoked certificates issued by the CA, including certificates with or without a CDP extension.
If Only end entity or CA certificates is selected, choose the revocation list type:
End entity CRL: Lists only end entity certificates revoked by the issuing CA.
Authority revocation list (ARL): Lists only subordinate CA certificates revoked by the issuing CA.
Select Next.
Enter a File name for the CRL. If partitioning is enabled, partition identifiers are appended automatically to this file name.
Review or update the Signature algorithm. The algorithm is pre-selected based on the issuing CA but can be changed if required.
(Optional) Enter a File path to specify where the CRL is published within the CRL distribution point.
(Optional) Enter the Last CRL number if you are migrating from another system and need to maintain CRL sequence continuity.
If the Partitioned publishing model was selected earlier, you must Enable Auto-partitioning to publish the CRL as multiple partitions instead of a single file.
After enabling auto-partitioning, select the Partitioning method:
By number of revoked certificates: Limits the number of revoked certificates included in each partition.
Enter the Revoked certificates per partition value.
By maximum file size: Limits the size of each CRL partition.
Enter the Maximum file size (KB).
Select Next.
Under CRL status and controls, configure the CRL behavior.
Make CRL active immediately after creation: Sets this as the active CRL for the CA. Any existing CRL is disabled.
Enable CRL generation: Allows this CRL to be generated automatically as configured or manually when needed.
If this option is not selected, the CRL cannot be generated either automatically or manually.
Enable CRL publishing: Allows the CRL to be published. Publishing occurs automatically whenever the CRL is generated.
Under Generation schedule, review the CRL validity and regeneration frequency.
The system displays the default schedule for CRL validity and regeneration, if configured.
To modify the schedule, select Customize frequency and configure the following settings:
CRL validity (hours): Specifies how long the CRL remains valid before expiring.
CRL frequency (hours): Specifies how often the CRL is regenerated and published.
The regeneration frequency must be less than the CRL validity period. In case you want to revert back to the default schedule after customizing it, select Reset to system defaults.
Select Create.
Result
The CRL is created and appears in the list on the CRLs page.
If Make CRL active immediately after creation is selected, this CRL becomes the active CRL for the CA and any previously active CRL is disabled.
If CRL generation is enabled, DigiCert Private CA generates the CRL automatically according to the configured schedule or when triggered manually. If CRL publishing is enabled, generated CRLs are published automatically to the configured CRL distribution points.