Configuring Polling for Certificate Revocation Lists

To handle large Certificate Revocation Lists (CRL), a CRL poller service can be run as part of the server startup. This service downloads the updated CRL for all enabled PKI Certificate authentication realms once a day. Downloaded lists are stored within the Deployment Automation profile folder. For example:

C:\Users\username\.microfocus\da/var/cache/pki

The CRL poller service downloads CRL lists only if the following are true:

  • A PKI Certificate authentication realm is configured to use External or Both revocation verification source types
  • The CRL Distribution Point property is configured for the PKI Certificate authentication realm
  • The CRL poller flag is set to true in the server configuration file

If you use the Internal PKI certificate revocation, you do not need to configure this. See Creating PKI Certificate Authentication Realms.

To configure the poller service:

  1. Navigate to the Common Tomcat webapps\da\WEB-INF\classes directory. For example: C:\Program Files\Micro Focus\common\tomcat\8.5\webapps\da\WEB-INF\classes
  2. Edit the following file: da_config.xml
  3. Add or edit the pkiConfig entries:

    crlPollerEnabled: If set to true, the poller service runs; if set to false, it doesn't

    crlPollerStartHour: Set to an integer value from 0 through 23 in 24 hour time format. If this is not set, the default is 0.

    In the following example, the poller is enabled and the start hour is 0, which means it runs at midnight.

    <pkiConfig>
        <crlPollerEnabled>true</crlPollerEnabled>
        <crlPollerStartHour>0</crlPollerStartHour>
    </pkiConfig>