Static CRL Certificate Validation


A Certificate Authority (CA) may wish to publish a Certificate Revocation List (CRL) to a file. In such cases, the API Gateway can load the revoked certificates from the file-based CRL and validate user certificates against it.

Because the CRL is typically signed by the CA that owns it, the certificate of the CA that issued the CRL must be imported into the Certificate Store before this filter can work correctly. In addition, the CRL (Static) filter requires the certificates message attribute to be set by a preceding filter.

Example Policy

Typically, a Find Certificate filter is first used to find the certificate, which is stored in a certificate message attribute. You can then use a Copy / Modify Attributes filter to copy the certificate attribute to the certificates attribute by selecting its Create list attribute setting.

The following example policy shows the filters used:

Static CRL Policy

The following example shows the settings used in the Copy / Modify Attributes filter:

Copy / Modify Attributes Filter

[Important] Important

Typically, a CA publishes a new CRL, containing the most up-to-date list of revoked certificates at regular intervals. However, the CRL (Static) filter does not automatically update the CRL when it is loaded from a local file. If you need to automatically retrieve updated CRLs from a particular URL, you should use the CRL (Dynamic) filter.


Enter a name for the filter in the Name field, and click the Load CRL button to browse to the location of the CRL file. When the CRL has been loaded from the selected location, read-only information regarding revoked certificates and update dates is displayed in the other fields on the screen.