This optional parameter specifies one or more CRL files that are used to check peer certificates for revocation when all the following conditions apply:

The CRL files are also used when TLS_CRLCheckAll is enabled.

If the CRL file is not found or the CRL says the certificate has been revoked, TLS authentication fails with an error:

To ease automation, CRLs may follow a file naming convention where each CRL file uses a special file name in TLS_CAPath directory. Setting up this directory is described in Section 3.11.3. TLS_CAPath. In this case you do not need to configure TLS_CRLFile.

If CRLs are not stored in the CAPath directory, one or more CRLs can be named with multiple EAPTLS_CRLFile parameters. The intended way CRL reloading works is this: Each CRL file named with TLS_CRLFile will be automatically reloaded and reread at the start of each new TLS session if the modification date of the named CRL file has changed since the last time it was loaded. If the CRL for a particular issuer changes, it is sufficient to replace the existing CRL file with the newer version and Radiator will reload the new CRL when required.

TLS_CRLFile %D/crls/revocations-*.pem