CRL Updater Service
CRL Updater Service
The CRL Updater checks if any of the configured CAs need a new CRL and generates it if necessary. The worker has no additional settings and only supports the periodical interval and no action.
The CRL Updater Service stores the generated CRLs in the CA's database. It does not publish the CRL anywhere. If you want to publish information about revoked certificates to an External VA, you must create a publisher, for example, a Validation Authority Peer Publisher.
The CRL Updater Service runs at Periodic Interval and generates new CRLs if any of the following conditions hold:
Current Time + Periodic Interval ≥ CRL Next Update - CRL Overlap
If CRL Issue Interval = 0
Current Time + Periodic Interval ≥ CRL Next Update
If CRL Issue Interval > 0
Current Time + Periodic Interval ≥ CRL Creation Date + CRL Issue Interval
If Delta CRL Period > 0
Current Time + Periodic Interval ≥ Delta CRL Next Update
Depending on the settings in the CA, different CRL generation times will be triggered. Especially when using the CRL Issue Interval, the issuing interval may not be exactly as configured, depending on how the Periodic Interval of the service is configured. It is important to not delay the CRL issuance longer than desired, as it may cause a CRL expiry with no new CRL. Therefore, a new CRL will be issued while running the service, if an issuance time would normally occur between this run and the next time the service is run. It is recommended to issue a CRL slightly too early than slightly too late.
A recommended interval to run the CRL Updater service is no shorter than 10 minutes, to prevent many CRL generation services to try to run in parallel when CRL generation takes a long time (large CRLs being generated). A CRL overlap period should be configured accordingly. Note that the CRL Update Worker takes all overlap periods in consideration and will generate a new CRL too early rather than too late.