In order to active CRL checking pls set the following properties in elasticsearch.yml (on all http enabled nodes):
# set this to true to enable crl validation
# default is false
searchguard.ssl.http.crl.validate: true
# file based static revocation list, by default this is null
# if null then either ocsp or crldp needs to be enabled
# crl file must be in config/ dir, so this path is relative here
#searchguard.ssl.http.crl.file_path: mycrl.crl
# default is false (means we prefer ocsp over crlfile)
#searchguard.ssl.http.crl.prefer_crlfile_over_ocsp: true
# default is true (means we do not validate intermediate certificats)
#searchguard.ssl.http.crl.check_only_end_entities: false
# default is false (means we use oscp if available)
#searchguard.ssl.http.crl.disable_ocsp: true
# default is false (means we use crldp if available)
#searchguard.ssl.http.crl.disable_crldp: true
Please note: CRL check is only available for the HTTPS layer (port 9200), not for transport layer (9300)