7.3. Adding a CRL to the OCSP

7.3. Adding a CRL to the OCSP

If a situation arises when a Certificate Manager is unable to publish its CRL to the OCSP, it is possible to add a CRL manually to the OCSP internal database.

To add a CRL to the internal database, do the following:

  1. Open the Certificate Manager's agent services page.

    https://server.example.com:9443/ca/agent/ca

  2. Click on Display Revocation List.

  3. In the results page, select the desired CRL issuing point, select the option to display the CRL as base-64, and click Display.

  4. In the CRL details page, scroll to the Certificate revocation list base64 encoded section, which shows the CRL in base-64 format.

  5. Copy the base-64 encoded CRL, including the -----BEGIN CERTIFICATE REVOCATION LIST----- and -----END CERTIFICATE REVOCATION LIST----- marker lines, to the clipboard or a text file.

    The CRL looks similar to the example: 

    -----BEGIN CERTIFICATE REVOCATION LIST-----
MIHiMIGNAgEBMA0GCSqGSIb3DQEBBQUAMEsxGDAWBgNVBAoTD0RvbWFpbiBTcG9v
bmJveTEPMA0GA1UECxMGMTAyNnNiMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRo
b3JpdHkXDTA2MTExMzE4MDM0MFoXDTA2MTExMzIyMDM0MFqgDjAMMAoGA1UdFAQD
AgFeMA0GCSqGSIb3DQEBBQUAA0EAlbdl7bPD5yLpBwKkSXeSA1fa8M2TiqNynRS1
B5zDGGAamOBdnKVMEBPEXFsTzk92rjbL0J0KjoMYicTEGO1wKA==
-----END CERTIFICATE REVOCATION LIST-----

  6. Open the OCSP's agent services page.

    https://server.example.com:11443/ocsp/agent/ocsp

  7. In the left frame, click Add Certificate Revocation List.

  8. In the resulting form, paste the encoded CRL inside the Base 64 encoded certificate revocation list (including the header and footer) text area.

  9. Click Add.

    The CRL is added to the internal database of the OCSP.