Specifies the name of the directory containing the SSL client certificate revocation list (CRL).
At a glance
| Property | Value |
|---|---|
| Parameter | ssl_crl_dir |
| Category | Connections and Authentication |
| Default | empty |
| Value type | string |
| Change scope | Reload (postgresql.conf, SIGHUP) |
| Available in | PostgreSQL 14, 15, 16, 17, 18, 19 (added in 14) |
What it does
Specifies the name of the directory containing the SSL client certificate revocation list (CRL). Relative paths are relative to the data directory. This parameter can only be set in the postgresql.conf file or on the server command line. The default is empty, meaning no CRLs are used (unless ssl_crl_file is set).
The directory needs to be prepared with the OpenSSL command openssl rehash or c_rehash. See its documentation for details.
(Description quoted from the official PostgreSQL documentation.)
How to apply a change
Set it in postgresql.conf (or with ALTER SYSTEM) and reload with SELECT pg_reload_conf(); or pg_ctl reload — no restart needed.
Inspect the current value and source with SHOW ssl_crl_dir; or SELECT name, setting, unit, context, source FROM pg_settings WHERE name = 'ssl_crl_dir';.
Tuning guidance
This is a connectivity or security setting, not a performance knob. Choose the value from your security and network requirements (TLS files, ciphers, keepalives, authentication behaviour) rather than for throughput, and verify it against your organization’s policy. Test changes in staging, because a wrong value here can lock clients out.