A CRL Distribution Point (CDP) is a link in issued certificates pointing to the CRL where a possible revocation of the certificate will appear. The CDP is used by relying parties to verify if the certificate is revoked when verifying the certificate.
To configure a CDP pointing to the CRL published to the S3 bucket, configure the following CA settings:
- Go to CA Functions >Certification Authorities.
- Select the CA that needs to have the CDP added to it, in this example Corporate Issuing CA - G1, and then click Edit CA.
- Locate the field Default CRL Distribution Point.
- Get the URL for the CRL generated in the previous section. If using a CName in DNS, enter this custom URL, in this example http://s3.amazonaws.com/s3crlbucket/CorporateIssuingCAG1.crl.
It is recommended to use a CName for this URL. A CName can remain consistent in a certificate and a certificate can never be changed. Since a CName can point to anything, it allows an administrator to change which infrastructure serves a CRL without changing the address it is located at. A CName for your domain would point to the s3 AWS URL, for example:
Resulting in a working URL of http://crl.corporation.com/s3crlbucket/CorporateIssuingCAG1.crl.
For information on removing the bucket name from the URL (in this case s3crlbucket), refer to AWS documentation How Do I Redirect Requests to an S3 Bucket Hosted Website to Another Host?
- Click Save.
- Select the CA that the CDP was added to, and then click Edit CA.
- In the CA Life Cycle section, click Renew CA.
- Select the CA that the CDP was added to, and then click Edit CA.
- In the CA Life Cycle section, click Republish CA Certificates.
Next, Generate CRLs and Make Public.