When a certificate is revoked, either through manual revocation or through expiration, the CRL(Certificate Revocation List) is not updated immediately.
Prerequisites (if applicable)
- Vault PKI Secrets Engine
- Certificate Revocation
- Certificate Revocation List (CRL)
This is due to Auto Rebuild being enabled. As per Vault documentation:
"Enabling automatic rebuilding of CRLs disables immediate regeneration on revocation. This is in line with the behavior of other CAs which only rebuild CRLs periodically."
- Another solution to consider is through the use of Delta CRL by adjusting a much shorter time frame for the delta_build_interval.