The CRL allows invalidation of certificates (serial number). The revocation list may be updated by uploading a new CRL manually, or by downloading from a CRL server periodically. If a client or server certificate is found to be in the CRL, the SSL handshake will fail, with a resulting log created to provide further information about the handshake.

The following are options that can be configured in the PKI profile:
  • Leaf Certificate CRL validation only: When enabled, Avi Load Balancer will only validate the leaf certificate against the CRL. The leaf is the next certificate in the chain up from the client certificate. A chain may consist of multiple certificates. To validate all certificates against the CRL, disable this option. Deactivating this option means you need to upload all the CRLs issued by each certificate in the chain. Even if one CRL is missing, the validation process will fail.

  • Server URL: Specify a server from which CRL updates can be downloaded. Access to this server will be done from the Avi Load Balancer Controller IP addresses, which means they will require firewall access to this destination. The CRL server may be identified by an IP address or a fully qualified domain name (FQDN) along with an HTTP path, such as https://www.avinetworks.com/crl.

  • Upload Certificate Revocation List File: Navigate to the CRL file to upload. Subsequent CRL updates can be done by manually uploading newer lists, or configuring the Server URL and Refresh Time to automate the process.

  • Update Interval: Enter the time (in minutes) after which Avi Load Balancer checks for a CRL update and automatically downloads an updated version of the CRL.

  • When the CRL is approaching expiration or has already expired, you can receive notifications through the events CRL_ENDPOINT_EXPIRED and CRL_ENDPOINT_EXPIRING_SOON by configuring the ssl_certificate_expiry_warning_days option in the Controller properties. For example, when the CRL expires, the CRL_Endpoint_Expired event is displayed as shown below:



  • For more information, see Customizing Notification of Certificate Expiration.

Configuring Update Interval

Avi Load Balancer checks for a CRL update and automatically downloads an updated version of the CRL on a regular schedule starting from the time of the creation of the CRL file object.

Avi Load Balancer checks the CRL distribution point for a new CRL at the configured Update Interval. If no Update Interval is configured or if the Update Interval is greater than 1440 minutes (one day), then an interval of 1440 minutes is used.

The CRL Distribution Server must support ETag semantics. Avi Load Balancer checks the CRL distribution point using the If-None-Match option and ETag obtained from the last downloaded CRL response. If the CRL has not been modified, the server responds with 304 Not Modified and no further action is taken until the next refresh interval.

In general, most Certificate Authorities update CRLs on a known regular schedule but in some cases CRL publishing intervals may be variable and the expiry (Next Update) time for a given CRL can also vary. The Refresh Interval must be configured such that Avi Load Balancer checks for an updated CRL with sufficient frequency to ensure the CRL will never expire.

If the expiry (Next Update) time of the CRL is passed without a new CRL being downloaded, the CRL will become invalid and Avi Load Balancer will fail close and treat all submitted certificates as untrusted. Override this behavior by deferring the certificate validation to a DataScript and treating the expired CRL condition as fail open. See NSX Advanced Load Balancer SSL Client Certificate Validation section in VMware Avi Load BalancerDataScript guide.

If the Avi Load Balancer Controller is rebooted or is down for a certain time then upon reboot the Controller will resume the regular refresh schedule using the expires_at time stored in the corresponding job entry.

If the Controller comes back online after being down for an extended period such that one or more scheduled refresh intervals have been missed (based on the last_refreshed timestamp and configured refresh interval in the PKI Profile), then the Controller will immediately check for an updated CRL.

Dynamic Scheduling of CRL Update

The CRL update is dynamically scheduled if Update Interval is not configured. If Update Interval is configured, CRL update occurs regularly using this interval. If Update Interval is not configured or left blank, Avi Load Balancer dynamically schedules the next CRL update attempt after (NextUpdate – Now)/2 seconds.