Configure CDP in CA Settings

A CRL Distribution Point (CDP) is a link in issued certificates pointing to the CRL where a possible revocation of the certificate will appear. The CDP is used by relying parties to verify if the certificate is revoked when verifying the certificate.

To configure a CDP pointing to the CRL published to the S3 bucket, configure the following CA settings:

  1. Go to CA Functions >Certification Authorities.
  2. Select the CA that needs to have the CDP added to it, in this example Corporate Issuing CA - G1, and then click Edit CA.
  3. Locate the field Default CRL Distribution Point.
  4. Get the URL for the CRL generated in the previous section. If using a CName in DNS, enter this custom URL, in this example http://s3.amazonaws.com/s3crlbucket/CorporateIssuingCAG1.crl.

    (warning) It is recommended to use a CName for this URL. A CName can remain consistent in a certificate and a certificate can never be changed. Since a CName can point to anything, it allows an administrator to change which infrastructure serves a CRL without changing the address it is located at. A CName for your domain would point to the s3 AWS URL, for example:
    crl.corporation.com	1800	CNAME	s3.amazonaws.com
    Resulting in a working URL of http://crl.corporation.com/s3crlbucket/CorporateIssuingCAG1.crl.

    For information on removing the bucket name from the URL (in this case s3crlbucket), refer to AWS documentation How Do I Redirect Requests to an S3 Bucket Hosted Website to Another Host?

  5. Click Save.
  6. Select the CA that the CDP was added to, and then click Edit CA.
  7. In the CA Life Cycle section, click Renew CA.
  8. Select the CA that the CDP was added to, and then click Edit CA.
  9. In the CA Life Cycle section, click Republish CA Certificates.

Next, Generate CRLs and Make Public.