6.4. Setting Full and Delta CRL Schedules

CRLs are generated periodically. Setting that period is touched on in the configuration in Section 6.3.2, “Configuring CRLs for Each Issuing Point”.
CRLs are issued according to a time-based schedule. CRLs can be issued every single time a certificate is revoked, at a specific time of day, or once every so-many minutes.
Time-based CRL generation schedules apply to every CRL that is generated. There are two kinds of CRLs, full CRLs and delta CRLs. A full CRL has a record of every single revoked certificate, whereas delta CRLs contain only the certificates that have been revoked since the last CRL (delta or full) was generated.
By default, full CRLs are generated at every specified interval in the schedule. It is possible space out the time between generating full CRLs by generating interim delta CRLs. The generation interval is configured in the CRL schema, which sets the scheme for generating delta and full CRLs.
If the interval is set to 3, for example, then the first CRL generated will be both a full and delta CRL, then the next two generation updates are delta CRLs only, and then the fourth interval is both a full and delta CRL again. In other words, every third generation interval has both a full CRL and a delta CRL.
Interval   1, 2, 3, 4, 5, 6, 7 ...
Full CRL   1        4        7 ...
Delta CRL  1, 2, 3, 4, 5, 6, 7 ...

Note

For delta CRLs to be generated in addition to full CRLs, the CRL cache must be enabled.

6.4.1. Configuring CRL Update Intervals in the Console

  1. Open the console.
    pkiconsole https://server.example.com:8443/ca
  2. In the Configuration tab, expand the Certificate Manager folder and the CRL Issuing Points subfolder.
  3. Select the MasterCRL node.
  4. Enter the required interval in the Generate full CRL every # delta(s) field.
  5. Set the update frequency, either by specifying the occasion of a certificate revocation, a cyclical interval or set times for the updates to occur:
    • Select the Update CRL every time a certificate is revoked or released from hold checkbox. The Update CRL every time a certificate is revoked or released from hold option also requires you to fill out the two Grace period settings. This is a known issue, and the bug is being tracked in Red Hat Bugzilla.
    • Select the Update CRL every time a certificate is revoked or released from hold checkbox.
    • Select the Update CRL at checkbox and enter specific times separated by commas, such as 01:50,04:55,06:55.
    • Select Update CRL every checkbox and enter the required interval, such as 240.
  6. Save the changes.

Important

The Update CRL every time a certificate is revoked or released from hold option also requires you to fill out the two grace period settings. This is a known issue, and the bug is being tracked in Red Hat Bugzilla.

Note

Schedule drift can occur when updating CRLs by interval. Typically, drift occurs as a result of manual updates and CA restarts.
To prevent schedule drift, select the Update CRL at checkbox and enter a value. The interval updates will resynchronize with the Update CRL at value every 24 hours.
Only one Update CRL at value will be accepted when updating CRLs by interval.

6.4.2. Configuring Update Intervals for CRLs in CS.cfg

Configuring the settings for full and delta CRLs in the CS.cfg file involves editing parameters.

Table 6.1. CRL Extended Interval Parameters

Parameter Description Accepted Values
updateSchema Sets the ratio for how many delta CRLs are generated per full CRL. An integer value
enableDailyUpdates Enables and disables setting CRL updates based on set times. true or false
enableUpdateInterval Enables and disables setting CRL updates based on set intervals. true or false
dailyUpdates Sets the times the CRLs should be updated A comma-delimited list of times
autoUpdateInterval Sets the interval in minutes to update the CRLs. An integer value
nextUpdateGracePeriod Adds the time in minutes to the CRL validity period to ensure that CRLs remain valid throughout the publishing or replication period. An integer value
refreshInSec Sets the periodicity in seconds of the thread on the clone OCSP to check LDAP for any updates of the CRL. An integer value

Procedure 6.1. How to configure CRL update intervals in CS.cfg

  1. Stop the CA server.
    # systemctl stop pki-tomcatd@instance_name.service
  2. Change to the CA configuration directory.
    # cd /var/lib/instance_name/conf/
  3. Edit the CS.cfg file, and add the following line to set the update interval:
    ca.crl.MasterCRL.updateSchema=3
    The default interval is 1, meaning a full CRL is generated every time a CRL is generated. The updateSchema interval can be set to any integer.
  4. Set the update frequency, either by specifying a cyclical interval or set times for the updates to occur:
    • Specify set times by enabling the enableDailyUpdates parameter, and add the desired times to the dailyUpdates parameter:
      ca.crl.MasterCRL.enableDailyUpdates=true
      ca.crl.MasterCRL.enableUpdateInterval=false
      ca.crl.MasterCRL.dailyUpdates=0:50,04:55,06:55
      Specify intervals by enabling the enableUpdateInterval parameter, and add the required interval in minutes to the autoUpdateInterval parameter:
      ca.crl.MasterCRL.enableDailyUpdates=false
      ca.crl.MasterCRL.enableUpdateInterval=true
      ca.crl.MasterCRL.autoUpdateInterval=240
  5. Set the following parameters depending on your environment:
    • If you run a CA without an OCSP subsystem, set:
      ca.crl.MasterCRL.nextUpdateGracePeriod=0
    • If you run a CA with an OCSP subsystem, set:
      ca.crl.MasterCRL.nextUpdateGracePeriod=time_in_minutes
      The ca.crl.MasterCRL.nextUpdateGracePeriod parameter defines the time in minutes, and the value must be big enough to enable the CA to propagate the new CRL to the OCSP. You must set the parameter to a non-zero value.
      If you additionally have OCSP clones in your environment, also set:
      ocsp.store.defStore.refreshInSec=time_in_seconds
      The ocsp.store.defStore.refreshInSec parameter sets the frequency in seconds with which the clone OCSP instances are informed of CRL updates through LDAP replication updates from the master OCSP instance.
    See Table 6.1, “CRL Extended Interval Parameters” for details on the parameters.
  6. Restart the CA server.
    systemctl start pki-tomcatd@instance_name.service

Note

Schedule drift can occur when updating CRLs by interval. Typically, drift occurs as a result of manual updates and CA restarts.
To prevent schedule drift, set both enableDailyUpdates and enableUpdateInterval parameters to true, and add the required values to autoUpdateInterval and dailyUpdates:
ca.crl.MasterCRL.enableDailyUpdates=true
ca.crl.MasterCRL.enableUpdateInterval=true
ca.crl.MasterCRL.autoUpdateInterval=240
ca.crl.MasterCRL.dailyUpdates=1:00
Only one dailyUpdates value will be accepted when updating CRLs by interval.
The interval updates will resynchronize with the dailyUpdates value every 24 hours preventing schedule drift.

6.4.3. Configuring CRL Generation Schedules over Multiple Days

By default, CRL generaton schedules cover 24 hours. Also, by default, when full and delta CRLs are enabled full CRLs occur at specific intervals in place of one or all delta CRLs, i.e., every third update.
To set CRL generation schedules across multiple days, the list of times uses commas to separate times within the same day and a semicolon to delimit days:
ca.crl.MasterCRL.dailyUpdates=01:00,03:00,18:00;02:00,05:00,17:00
This example updates CRLs on day one of the schedule at 01:00, 03:00, and 18:00, and on day two of the schedule at 02:00, 05:00, and 17:00. On day three the cycle starts again.

Note

The semicolon indicates a new day. Starting the list with a semicolon results in an initial day where no CRLs are generated. Likewise, ending the list with a semicolon adds a final day to the schedule where no CRLs are generated. Two semicolons together result in a day with no CRL generation.
To set full CRL updates independent of delta updates, the list of times accepts time values prepended with an asterisk to indicate when full CRL updates should occur:
ca.crl.MasterCRL.dailyUpdates=01:00,03:00,18:00,*23:00;02:00,05:00,21:00,*23:30
This example generates delta CRL updates on day one at 01:00, 03:00, and 18:00, with a full and delta CRL update at 23:00. On day two, delta CRLs are updated at 02:00, 05:00, and 21:00, with a full and delta CRL update at 23:30. On day three, the cycle starts again.

Note

The semicolon and asterisk syntax works in both the console and when manually editing the CS.cfg file.