Certificate revocation list (CRL)
Airlock Gateway provides the possibility to upload the PEM representation of certificate revocation lists. If a client certificate is on such a list, it will not be accepted and the connection will fail. Although Airlock provides this functionality, it is recommended to check certificates against CRLs and other types of denylists within the authentication service and not in Airlock.
For example, if the client certificate is blocked on Airlock Gateway using the CRL, the corresponding SSL handshake will fail and the user will not be able to connect to the authentication service. Typically, it is better to let technically valid certificates connect to the authentication service and verify the content of the certificate there. That is also true for certificate validity, expiry etc. It does not mean that anybody can connect to the authentication service since the user first needs a technically valid certificate. Use the upload, download, and delete buttons to modify the CRL parameter. After that, confirm the settings on the page and activate the new configuration as usual for the changes to take effect.
Automatic update of CRLs
Airlock Gateway allows you to periodically update your certificate revocation lists (CRL). For more information please read this Techzone Article.