Generating a CRL
- Manually
- Automatically
  - Using the CRL Update Service Worker
  - Using Unix Cron
Delta CRLs
Retrieving CRLs

A new CA should always issue an (empty) CRL and this is done when the CA is created.

Generating a CRL

Manually

CRLs can be generated using Basic functions in the Admin GUI, or using the CLI by running the following command:

bin/ejbca.sh ca createcrl <CA name>

For more information on how to configure CRL periods, CRL Distribution Points and CRL Issuers, see the EJBCA User Guide section Certificate Profiles.

Automatically

Use one of the following ways to make EJBCA automatically create updated CRLs:

Using the CRL Update Service Worker

In the Admin GUI, go to Edit Services and add a new service. Edit the service and select the CRL Updater worker and the interval to use. Make sure to set the service to Active.

This service checks, at the selected interval, if it is required to regenerate the current CRL (due to being expired or within the expiration threshold), and generates a new CRL if needed.

Using Unix Cron

CRLs can also be generated by having a cron job or equivalent call bin/ejbca.sh ca createcrl. The createcrl command checks all active CAs and if an update of their CRLs is required.

To force CRL generation for a CA, use bin/ejbca.sh ca createcrl caname.

An example crontab entry:

PATH=$PATH:/usr/java/jdk1.6.0_24/bin
@daily cd /home/ejbca;/home/ejbca/bin/ejbca.sh ca createcrl;

where /usr/java/jdk1.6.0_24/bin is the path to where java can be found and /home/ejbca is where ejbca is installed.

The following displays a sample crontab to be installed with crontab -e:

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
CLASSPATH=$CLASSPATH:/root/ejbca
APPSRV_HOME=/usr/local/jboss
#m h dom mon dow command
00 0 * * * cd /root/ejbca;./bin/ejbca.sh ca createcrl

Delta CRLs

EJBCA can issue delta CRLs. In the CA configuration, set Delta CRL Period to the amount of time your delta CRLs will be valid if delta CRLs are issued. Command line interface and CRL Update service will generate delta CRLs if Delta CRL Period is larger than 0.

Retrieving CRLs

EJBCA stores all generated CRLs, unless you manually remove them from the database.

You can retrieve CRLs (either the latest CRL or a CRL with a specific CRL number) using the command line interface, the Public Web or the RA Web:

To retrieve CRLs using the command line interface:

bin/ejbca.sh ca getcrl --help

To retrieve CRLs using the Public Web, select Public Web>Fetch CA CRLs and use the additional parameter crlnumber=<crl number>.

To retrieve CRLs using the RA Web, select RA Web>CA Certificates and CRLs and use the additional parameter crlnumber=<crl number>.