Manage a Certificate Revocation List

When a certificate issuing authority (a CA) determines that a certificate has been compromised, it revokes the certificate. A record of revoked certificates is kept on a Certificate Revocation List (CRL). Asset Manager checks the validity of SSL certificates by checking this CRL.  

Asset Manager releases use CRL to check for certificate revocations. An Online Certificate Status Protocol (OCSP) method of checking is additionally supported. OCSP is one of two common schemes for maintaining the security of a server and other network resources.


To simplify the experience of customers who use CRL retrieval, certificate revocation lists (CRLs) can be installed or removed from Asset Manager. Additional functionality that will enable users to download CRLs is in development at Asset Manager 3.3.2 and expected to be made available in a near-term release.

Install or Remove CRL using the GUI

To install or remove the CRL from the Asset Manager graphical user interface, follow this procedure:

  1. Browse to Settings > Asset Manager Systems > Manage PKI
  2. In the Certificate Type field, select Certificate Revocation List.
  3. Select Install or Remove.
  4. Select the CRL file to install or remove.
  5. Click Submit.

CRL Commands using CLI

certificate crl remove
certificate crl install user@host:/path/to/file.crl

CRL Commands using API

GET api/rest/license/crl to download the CRL

POST api/rest/license/crl to add a PEM formatted CRL to the CRL file on the server

DELETE api/rest/license/crl to remove the CRL file from the server