This page is for product admins managing PKI infrastructure. CRL configuration is an advanced topic — most users don’t need to configure custom mirrors.
How It Works
- The Infisical-managed URL is included as the primary CDP by default. It can be disabled per CA.
- Up to 4 mirror URLs can be configured per CA.
- URLs must use
http://orhttps://. - Changes apply only to certificates issued after the update — existing certificates are not affected.
Configure CRL Mirrors
- Infisical UI
- API
Mirror URLs can be configured at CA creation time or any time after via the CRL Distribution Points card on the CA detail page.
1
Navigate to CA details
Go to Certificate Manager → Certificate Authorities → Internal and select your CA.
2
Edit CRL Distribution Points
Click the pencil icon on the CRL Distribution Points card.
3
Add mirror URLs
Add one URL per row, in order of preference (clients try them in the listed order).
4
Disable managed CRL URL (optional)
Toggle Disable managed CRL URL to exclude the Infisical-managed CRL endpoint from issued certificates. This is useful when the Infisical instance is not reachable by certificate consumers.
Keeping Mirrors in Sync
Infisical regenerates each CA’s CRL automatically — CRLs are rebuilt whenever a certificate is revoked or the existing CRL is approaching itsnextUpdate time. To keep your mirrors useful, pull the latest CRL on a schedule and republish it at each mirror URL.
Fetch the current CRL
Run this on a cron schedule that’s well within the CRL validity window — every few hours is a reasonable default — so mirrors never serve a stale or expired CRL to validators.
Example: Sync to S3
What’s Next?
CA Renewal
Renew your CA certificates before expiry.
Certificate Policies
Define rules for certificate issuance.