Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


crl (Security)


Hierarchy Level


Configure the certificate revocation list (CRL). A CRL is a time-stamped list identifying revoked certificates, which is signed by a CA and made available to the participating IPsec peers on a regular periodic basis.


disable on-download-failure

(Optional) Override the default behavior and permit certificate verification even if the CRL fails to download.

refresh-interval hours

Specify the amount of time interval in hours between certificate revocation list (CRL) updates.

  • Range: 0 through 8784 hours.

  • Default: Next-update time in CRL, or 1 week, if no next-update time is specified.

url url-name

Name of the location from which to retrieve the CRL through HTTP or Lightweight Directory Access Protocol (LADP). You can specify one URL for each configured CA profile. By default, no location is specified. Use a fully qualified domain name (FQDN) or an IP address and, optionally, a port number. If no port number is specified, port 80 is used for HTTP and port 443 is used for LDAP.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5. disable option is introduced in Junos OS Release 9.0.