Use this file to discover all available pages before exploring further.
Every certificate issued by an internal CA embeds a CRL Distribution Point (CDP) extension that tells validators where to fetch the revocation list. You can register additional mirror URLs at the CA level so validators have fallback locations if the primary endpoint is unreachable.
This page is for product admins managing PKI infrastructure. CRL configuration is an advanced topic — most users don’t need to configure custom mirrors.
The Infisical-managed URL is always included as the primary CDP and cannot be removed.
Up to 4 mirror URLs can be configured per CA.
URLs must use http:// or https://.
Changes apply only to certificates issued after the update — existing certificates are not affected.
Infisical only advertises the mirror URLs in issued certificates — it does not publish your CRL to them. You are responsible for fetching the latest CRL from Infisical and serving an up-to-date copy at every mirror URL you register. If a mirror serves a stale CRL, validators that fall back to it will get outdated revocation information and may continue to trust certificates you have already revoked.
Infisical regenerates each CA’s CRL automatically — CRLs are rebuilt whenever a certificate is revoked or the existing CRL is approaching its nextUpdate time. To keep your mirrors useful, pull the latest CRL on a schedule and republish it at each mirror URL.
curl --location --request GET 'https://app.infisical.com/api/v1/cert-manager/ca/internal/<ca-id>/crls' \ --header 'Authorization: Bearer <access-token>'
The response contains the PEM-encoded CRL. Write it to your mirror destination using your preferred sync method.
Run this on a cron schedule that’s well within the CRL validity window — every few hours is a reasonable default — so mirrors never serve a stale or expired CRL to validators.
