A certificate revocation
list (CRL) is a time-stamped list of digital certificates that have been
revoked by the certificate authority (CA) that issued them. Each CRL is
signed by a CA and made freely available in a public repository.
When configuring certificate revocation checking in a WebLogic
domain, you can customize the following CRL settings:
- Whether to enable updates from CRL distribution points, which are
used to update the CRL local cache.
- The CRL cache refresh setting. The refresh setting is expressed as
a percentage of a CRL validity period that, when reached, forces a
refresh from the distribution point. For example, for a validity
period of 10 hours, a value of 10% specifies that after one hour, the
cached CRL expires and a fresh CRL is required. The refresh occurs
when the CRL is next required.
- The timeout setting that limits the wait time for CRL downloads
from distribution points. Setting a timeout helps minimize blocked
threads and also reduces the system’s vulnerability to denial of
To customize the CRL configuration in WebLogic Server: