Revocation Settings by CRL

This page describes how to check certificate revocation using CRL (Certificate Revocation List).
If "Revocation Settings by CRL" is enabled, certificates registered in the revocation list can no longer be used for device certificate authentication.

[ Note ]

The CRL has an expiration date.

If the CRL expires, it will not be used for device certificate authentication.

[ Reference ]

If both OCSP and CRL are enabled simultaneously, verification by OCSP takes priority over that by CRL.
Verification by CRL is executed only when a proper connection cannot be made to the OCSP server.

  1. Click "System" and then "Security Settings."
  2. Click "Device Restriction."
  3. Click "Certificate Revocation Settings" for the desired CA certificate chain.
  4. Click "Enable CRL."
  5. Change the content and then click "Update."

    OptionDescription
    Specify the URL of the CRL distribution pointUses the CRL distribution point for acquisition of the CRL file.
    The CRL file is automatically updated on a regular basis.



    CRL distribution point URLSets the CRL distribution point in the URL format.
    Refresh CRLRefreshes the CRL file manually.
    Registered CRLDownloads the revocation list registered with IIJ ID in the DER format.
    Upload a CRL fileUploads CRL as a file.


    CRL fileSpecifies a CRL file to upload.
    Registered CRLDownloads the revocation list registered with IIJ ID in the DER format.