The two ways of Configuring CRL are by Generating CRL and Re-generating the CRL.

Generating CRL

By default, if client certificate validation is enabled in an HTTP profile, the PKI profile used by the virtual service must contain at least one CRL. This CRL is issued by the CA that signed the client certificate. Use the following OpenSSL command to generate the CRL using the key and the certificate created in the previous steps.

[client-cert-auth-demo] $ openssl ca -gencrl -keyfile CA.key -cert CA.pem -out crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
139687578113952:error:02001002:system library:fopen:No such file or
directory:bss_file.c:398:fopen('/etc/pki/CA/index.txt','r')
139687578113952:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:

This command may exhibit a few errors. Take the actions as required. For example, the following commands create a file.

/etc/pki/CA/index.txt file and the file /etc/pki/CA/crlnumber with the content 01:
[client-cert-auth-demo] $ touch /etc/pki/CA/index.txt
[client-cert-auth-demo] $ echo 01 > /etc/pki/CA/crlnumber

Re-generating the CRL

Once action is taken as per the error in the previous step, re-run the openssl ca -gencrl -keyfile CA.key -cert CA.pem -out crl.pem command to generate the CRL once again.

[client-cert-auth-demo] $ openssl ca -gencrl -keyfile CA.key -cert CA.pem -out crl.pem
Using configuration from /etc/pki/tls/openssl.cnf