Add rlm_crl docs from sample config

diff --git a/doc/antora/modules/reference/nav.adoc b/doc/antora/modules/reference/nav.adoc
index 33bb0227d5c64bee1a374d5a35b97578f91a0825..3e9a71c45e4229b60200dffb13e086149c3b3b7e 100644 (file)
--- a/doc/antora/modules/reference/nav.adoc
+++ b/doc/antora/modules/reference/nav.adoc
@@ -161,6 +161,7 @@
 
 *** xref:raddb/mods-available/doc/authentication.adoc[Authentication]
 **** xref:raddb/mods-available/chap.adoc[CHAP module]
+**** xref:raddb/mods-available/crl.adoc[CRL]
 **** xref:raddb/mods-available/digest.adoc[Digest]
 **** xref:raddb/mods-available/eap.adoc[EAP]
 **** xref:raddb/mods-available/eap_inner.adoc[EAP/Inner]

diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/crl.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/crl.adoc
new file mode 100644 (file)
index 0000000..c268366
--- /dev/null
+++ b/doc/antora/modules/reference/pages/raddb/mods-available/crl.adoc
@@ -0,0 +1,96 @@
+
+
+
+
+= CRL Module
+
+The `crl` module provides CRL checking of TLS certificates.
+
+Its primary use case is within the `verify certificate` processing
+section of the `tls-session` virtual server when verifying client
+certificates during EAP-TLS.
+
+
+
+## Configuration Settings
+
+
+source:: Where CRLs will be loaded from
+
+
+dynamic:: Expansions for CRLs loaded dynamically from URIs in certificates
+
+The CRL distribution point URI will be in the
+attribute `CRL.CDP-URL` when this expansion is performed.
+
+
+http:: Expansion to use when URI scheme is http
+
+The `rest` module must be enabled to support this
+
+
+
+ldap:: Expansion to use when URI scheme is ldap
+
+If any CRLs need to be retrieved by LDAP queries
+then configure and enable the `ldap` module to
+support this.
+
+If the URIs in CRL distribution points do not include
+an LDAP host (i.e. they start ldap:///) then the
+ldap module must be configured with the correct
+server details to fetch the CRL from
+
+
+
+force_expiry:: Maximum time between expiring CRLs
+
+If the `nextUpdate` attribute of a CRL is closer than this interval
+then that will be used as the point that the CRL is expired.
+
+
+
+force_delta_expiry:: Maximum time between expiring delta CRLs
+
+This overrides `force_expiry` for delta CRLs.
+
+
+
+early_refresh:: Time before `nextUpdate` which the CRL will be refreshed
+
+
+
+ca_file:: File containing trusted CA, used to sign CRLs
+
+This can reference the setting in the `eap` module, but in that
+case, the eap module must be instantiate before the `crl` module
+by adding it to the list of explicitly instantiated modules
+in `radiusd.conf`
+
+
+
+ca_path:: Directory containing trusted CAs, used to sign CRLs
+
+
+== Default Configuration
+
+```
+crl {
+       source {
+               dynamic {
+                       http = %rest('GET', "%uri.safe(%{CRL.CDP-URL})")
+#                      ldap = %ldap(%ldap.uri.safe("%{CRL.CDP-URL}"))
+               }
+       }
+#      force_expiry = 7d
+#      force_delta_expiry = 1d
+       early_refresh = 1h
+#      ca_file = ${modules.eap.tls-config[tls-common].ca_file}
+       ca_file = ${cadir}/rsa/ca.pem
+#      ca_path = ${modules.eap.tls-config[tls-common].ca_path}
+       ca_path = ${cadir}
+}
+```
+
+// Copyright (C) 2025 Network RADIUS SAS.  Licenced under CC-by-NC 4.0.
+// This documentation was developed by Network RADIUS SAS.