Help Center> Cloud Certificate Manager> Best Practices> Best Practices for Private Certificate Management> Best Practices for Private CA Management> Managing a CRL
Updated on 2022-07-08 GMT+08:00
View PDF

Managing a CRL

The PCA service has the following restrictions on certificate revocation list (CRL) management:

  • The CRL is released only when the CRL configuration is enabled during the creation of a private CA.

    If the parent CA does not enable CRL configuration, revoked certificates will not be put into a CRL. This means a revoked certificate can still pass certificate chain validation, which incurs security risks. If you expect to revoke certificates, enable the CRL configuration.

  • CRLs can be released only to the OBS bucket authorized by you. Customizing other storage paths is not allowed.
  • After CRL configuration is enabled, the access policy of a signed CRL depends on the access policies you configure for the OBS bucket that storing the CRL. You can customize the access policy for the authorized bucket.
  • Once a certificate is revoked, it cannot be restored.
  • Revoked certificates are not trusted as their information is written into the CRL.
  • After a certificate is revoked, the PCA service writes the certificate information into the CRL (if the CRL is enabled by the parent CA) within 30 minutes and updates the CRL on the OBS bucket. If the CRL fails to be released, the system attempts to generate the CRL again 15 minutes later.
  • A scheduled task for releasing new CRLs will fail to be executed in any of the following cases: The private CA has been deleted; the private CA has expired; the OBS bucket has been deleted; or the authorization for the OBS bucket has been canceled.
  • If the private CA does not revoke any sub-certificate within the validity period of the CRL, a new CRL is generated only after the validity period expires (which may be delayed for about 30 minutes). The validity period of a CRL can be 7 to 30 days.
  • Appropriate revocation reasons can make the revocation information in the CRL more accurate.

    The default revocation reason in the PCA service is in the UNSPECIFIED field. Table 1 describes the revocation reasons you can select.

    Table 1 Revocation reasons and meaning

    Reason for Revocation

    Reason Code in RFC 5280

    Description

    UNSPECIFIED

    0

    Default value. No reason is specified for revocation.

    KEY_COMPROMISE

    1

    The certificate key material has been leaked.

    CERTIFICATE_AUTHORITY_COMPROMISE

    2

    Key materials of the CA have been leaked in the certificate chain.

    AFFILIATION_CHANGED

    3

    The subject or other information in the certificate has been changed.

    SUPERSEDED

    4

    The certificate has been replaced.

    CESSATION_OF_OPERATION

    5

    The entity in the certificate or certificate chain has ceased to operate.

    CERTIFICATE_HOLD

    6

    The certificate should not be considered valid currently and may take effect in the future.

    PRIVILEGE_WITHDRAWN

    9

    The certificate no longer has the right to declare its listed attributes.

    ATTRIBUTE_AUTHORITY_COMPROMISE

    10

    The authority that warrants the attributes of the certificate may have been compromised.

    The naming of revocation reasons in the PCA service is different from that in international standards. You can use the revocation reason code to query the description of revocation reasons in RFC 5280.