Problem
When a certificate is revoked, either through manual revocation or through expiration, the CRL(Certificate Revocation List) is not updated immediately.
Prerequisites (if applicable)
- Vault PKI Secrets Engine
- Certificate Revocation
- Certificate Revocation List (CRL)
Cause
-
This is due to Auto Rebuild being enabled. As per Vault documentation:
"Enabling automatic rebuilding of CRLs disables immediate regeneration on revocation. This is in line with the behavior of other CAs which only rebuild CRLs periodically."
Solutions:
-
The documentation suggests to either manually rotate the CRLs or through OCSP.
- Another solution to consider is through the use of Delta CRL by adjusting a much shorter time frame for the delta_build_interval.