This worker fetches a CRL from a given endpoint and uses it to check if a certificate used with Cloudflare Access Mutual TLS is valid.
There are a few setup steps needed to use this worker
-
Create or reuse a Cloudflare Workers KV namespace and put the ID in your
wrangler.tomlfile on thekv-namespacesline.- If you are creating a new namespace, you can use wrangler to do it.
$ wrangler kv:namespace create CRL_NAMESPACE
- Copy the output of the command into your
wrangler.tomlfile and replace the stub.
- If you are creating a new namespace, you can use wrangler to do it.
-
Set the URL of your CRL
- If you are using wrangler version 1.8.0 or higher. Set the
CRL_URLvariable in yourwrangler.tomlfile to your CRL URL. - If you are using a wrangler version older than 1.8.0 Uncomment and replace the CRL_URL variable in
index.jswith the location of your CRL. Remove thevarsline in thewrangler.tomlfile.
- If you are using wrangler version 1.8.0 or higher. Set the
Make sure you have set the needed configuration and then run the following.
wrangler publish
By default we rely on the next update field in the CRL to know when to refresh the CRL. However you can force a refresh of the CRL by adding a force-crl-refresh: 1 header to the your request
- Due to workers CPU time limits any CRL with more than 5000 serial numbers on it has a chance to hit the CPU time limit and fail.
- This worker will only check the CRL if the request coming in had a certifcate successfully presented to the Cloudflare edge.