crl url

Use crl url to specify the URL of the CRL repository.

Use undo crl url to restore the default.


crl url url-string [ vpn-instance vpn-instance-name ]

undo crl url


The URL of the CRL repository is not specified.


PKI domain view

Predefined user roles




url-string: Specifies the URL of the CRL repository, a case-sensitive string of 1 to 511 characters. The URL format is ldap://server_location or http://server_location. The URL length is restricted by the CLI string limitation or the url-string parameter, whichever is smaller.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If the CRL repository is on the public network, do not specify this option.

Usage guidelines

To use CRL checking, a CRL must be obtained from a CRL repository.

The device selects a CRL repository in the following order:

  1. CRL repository specified in the PKI domain by using this command.

  2. CRL repository in the certificate that is being verified.

  3. CRL repository in the CA certificate or CRL repository in the upper-level CA certificate if the CA certificate is the certificate being verified.

After the previous selection process, if the CRL repository is not found, the device obtains the CRL through SCEP. In this scenario, the CA certificate and the local certificates must have been obtained.

If an LDAP URL is specified, the device must connect to the LDAP server to obtain the CRL. If the LDAP URL does not contain the address of the LDAP server, use the ldap-server command to configure the server address in the PKI domain.


# Set the URL of the CRL repository to

<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] crl url

# Set the URL of the CRL repository to ldap:// in MPLS L3VPN instance vpn1.

<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] crl url ldap:// vpn-instance vpn1

Related commands


pki retrieve-crl