The CRL being served by the CRL Master has not added a newly revoked certificate for 4
months. The CRL is updated and published as expected every four hours, just with no change
to the list of revocations. Currently the CRL lists 34 certificates where as a query with
ipa cert-find returns 40.
The missing certificates are not expired.
I do not see any errors in /var/log/pki/pki-tomcat/ca/debug*
I've been through the steps at
https://www.freeipa.org/page/Troubleshooting/PKI and
checked the CRL settings per
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
The CRL files in /var/lib/ipa/pki-ca/publish/ are being generated/updated.