Customize the domain-wide CRL settings

Before you begin

Enable certificate revocation checking. For information, see Enable certificate revocation checking in a domain and X.509 Certificate Revocation Checking.
If you Enable automatic realm restart in the default security realm, you do not need to restart WebLogic Server after activating changes to the CRL configuration.

A certificate revocation list (CRL) is a time-stamped list of digital certificates that have been revoked by the certificate authority (CA) that issued them. Each CRL is signed by a CA and made freely available in a public repository.

When configuring certificate revocation checking in a WebLogic domain, you can customize the following CRL settings:

Whether to enable updates from CRL distribution points, which are used to update the CRL local cache.
The CRL cache refresh setting. The refresh setting is expressed as a percentage of a CRL validity period that, when reached, forces a refresh from the distribution point. For example, for a validity period of 10 hours, a value of 10% specifies that after one hour, the cached CRL expires and a fresh CRL is required. The refresh occurs when the CRL is next required.
The timeout setting that limits the wait time for CRL downloads from distribution points. Setting a timeout helps minimize blocked threads and also reduces the system’s vulnerability to denial of service attacks.

To customize the CRL configuration in WebLogic Server:

If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
In the left pane of the Console, under Domain Structure, select the domain name.
Select Security > SSL Certificate Revocation Checking > CRL.
Customize one or more of the following:
- To enable the CRL updates from distrubution points, select the Enable Updates from Distribution Points check box. (Distribution point updates are enabled by default.)
- To customize the CRL cache refresh, click Advanced, and specify the Cache Refresh Period (percent).
- To customize the CRL download timeout setting, click Advanced, and specify the Distribution Point Download Timeout (seconds).
Click Save.
In the Change Center, click Activate Changes. If automatic realm restart is enabled in the default realm, you do not need to restart WebLogic Server for changes to go into effect.

Administration Console Online Help

Customize the domain-wide CRL settings