This is old, but nobody ever answer the poor persons question. On a small deployment with a more closed environment, CRL works good. No you can't get the controller to download the CRL. But you can. Steps to get this working.
1. Issue a new CRL. If your doing this manually consider making the CRL for a longer period. Some are configured for as short as 1 day. You can't admin a box by uploading a CRL daily.
2. Upload to the Controller. I called mie "crl". Certificate Type is CRL and certificate format is "DER".
3. Add CRL as a revocation check method:
This was added when I uploaded to my controller. Keeping the names simple, makes things simple. KISS is my design goal. I do part in the gui and the rest command line. You can do both from either. So this is what is added after I upload using the GUI:
crypto-local pki CRL crl ca.crl
So lets add it to the configuration:
crypto-local pki rcp "cacert_ec"
crl-location file "crl"
revocation-check crl
My CA is called "cacert_ec".
Since I called my uploaded CRL as "CRL" we reference it as such. The commands are done in this order.
crl-location file "crl"
Then we change change the recovation method from "NONE" to "CRL"
revocation-check crl
You do not like some implementations have to build the CRL location into your certficate.
Remember CRL does scale well. You must upload a new CRL everytime you revoke a certificate and before the uploaded CRL expires. Works better in a closed environment where few control it all.
Please see attached. Note in the picture that the reference number for the crl file is one. If your at zero, then your not doing it right.
Remember proper policy will keep you out of trouble. You must have a method to your madness. That method is your policy.