Hosting a Certificate Revocation List
If you've created a certification authority and decided to include support for issuing and hosting a certificate revocation list, that revocation list must be hosted by a web server that publishes it at the URL that was defined when the CA was created.
If you already have a web server you can use for that purpose, then you simply need to copy the CRL file to that web server. But if not, the instructions here will walk you through installing and configuring a simple Apache web server to host the CRL.
Install the Apache Web Server
These instructions are for RHEL and similar distributions. If you're using a different platform, determine how to install Apache using that systems package manager.
sudo dnf install -y httpd
sudo systemctl enable --now httpd
Create a Dedicated Directory for the CRL
sudo mkdir -p /var/www/crl
sudo chown root:root /var/www/crl
sudo chmod 755 /var/www/crl
Define a Minimal Apache Configuration
Use your favorite text editor to create a configuration file:
sudo vi /etc/httpd/conf.d/crl.conf
And then add this content:
Alias /crl /var/www/crl
<Directory "/var/www/crl">
Options None
AllowOverride None
Require all granted
</Directory>
# Optional: force correct MIME type
AddType application/pkix-crl .crl
This configuration makes files available at http://
Restart Apache
sudo systemctl reload httpd
Open Firewall Ports (if necessary)
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --reload
Configure SELinux (if necessary)
sudo semanage fcontext -a -t httpd_sys_content_t "/var/www/crl(/.*)?"
sudo restorecon -Rv /var/www/crl
Copy the CRL to the Web Server
Adjust the following command as necessary based on the name and location of your CRL file:
cp ~/local-ca/local-ca.crl /var/www/crl/ca.crl
chown root:root /var/www/crl/ca.crl
Update as Necessary
It is critical that you update the ca.crl file immediately each time you revoke a server certificate.