Configuring Polling for Certificate Revocation Lists

To handle large Certificate Revocation Lists (CRL), a CRL poller service can be run as part of the server startup. This service downloads the updated CRL for all enabled PKI Certificate authentication realms once a day. Downloaded lists are stored within the Deployment Automation profile folder:

<sda_profile>/var/cache/pki

The CRL poller service downloads CRL lists only if the following are true:

If you use the Internal PKI certificate revocation, you do not need to configure this. See Creating PKI Certificate Authentication Realms.

To configure the poller service:

  1. Navigate to the Tomcat webapps\serena_ra\WEB-INF\classes directory. For example: ..\Common\Tomcat 8.0\webapps\serena_ra\WEB-INF\classes
  2. Edit the following file: serena_ra_config.xml
  3. Add or edit the pkiConfig entries:

    crlPollerEnabled: If set to true, the poller service runs; if set to false, it doesn't

    crlPollerStartHour: Set to an integer value from 0 through 23 in 24 hour time format. If this is not set, the default is 0.

    In the following example, the poller is enabled and the start hour is 0, which means it runs at midnight.

    <pkiConfig>
        <crlPollerEnabled>true</crlPollerEnabled>
        <crlPollerStartHour>0</crlPollerStartHour>
    </pkiConfig>