diff --git a/attributes/default.rb b/attributes/default.rb
index b33a010..6561dc6 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -106,6 +106,8 @@ default['openstack']['identity']['ssl']['chainfile'] = nil
 default['openstack']['identity']['ssl']['ca_certs'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslca.pem"
 # path of the CA cert files for SSL (Apache)
 default['openstack']['identity']['ssl']['ca_certs_path'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/"
+# (optional) path to certificate-revocation lists (Apache)
+default['openstack']['identity']['ssl']['ca_revocation_path'] = nil
 
 # Fernet keys to read from databags/vaults. This should be changed in the
 # environment when rotating keys (with the defaults below, the items
diff --git a/spec/server-apache_spec.rb b/spec/server-apache_spec.rb
index f8b8a50..0609254 100644
--- a/spec/server-apache_spec.rb
+++ b/spec/server-apache_spec.rb
@@ -396,6 +396,8 @@ describe 'openstack-identity::server-apache' do
           /SSLCertificateFile/,
           /SSLCertificateKeyFile/,
           /SSLCACertificatePath/,
+          /SSLCARevocationPath/,
+          /SSLCARevocationCheck/,
           /SSLCertificateChainFile/,
           /SSLProtocol/,
           /SSLCipherSuite/,
@@ -424,6 +426,8 @@ describe 'openstack-identity::server-apache' do
             end
           end
           [
+            /SSLCARevocationPath/,
+            /SSLCARevocationCheck/,
             /SSLCertificateChainFile/,
             /SSLCipherSuite/,
             /SSLVerifyClient require/,
@@ -432,15 +436,18 @@ describe 'openstack-identity::server-apache' do
               expect(chef_run).not_to render_file(file).with_content(line)
             end
           end
-          context 'Enable chainfile, ciphers & cert_required' do
+          context 'Enable ca_revocation_path, chainfile, ciphers & cert_required' do
             cached(:chef_run) do
               node.override['openstack']['identity']['ssl']['enabled'] = true
+              node.override['openstack']['identity']['ssl']['ca_revocation_path'] = '/etc/keystone/ssl/crl.d'
               node.override['openstack']['identity']['ssl']['chainfile'] = '/etc/keystone/ssl/certs/chainfile.pem'
               node.override['openstack']['identity']['ssl']['ciphers'] = 'ciphers_value'
               node.override['openstack']['identity']['ssl']['cert_required'] = true
               runner.converge(described_recipe)
             end
             [
+              %r{SSLCARevocationPath /etc/keystone/ssl/crl.d$},
+              /SSLCARevocationCheck chain$/,
               %r{SSLCertificateChainFile /etc/keystone/ssl/certs/chainfile.pem$},
               /SSLCipherSuite ciphers_value$/,
               /SSLVerifyClient require$/,
diff --git a/templates/default/wsgi-keystone.conf.erb b/templates/default/wsgi-keystone.conf.erb
index 05d44ec..d29f2ca 100644
--- a/templates/default/wsgi-keystone.conf.erb
+++ b/templates/default/wsgi-keystone.conf.erb
@@ -20,6 +20,10 @@
     SSLCertificateFile <%= node['openstack']['identity']['ssl']['certfile'] %>
     SSLCertificateKeyFile <%= node['openstack']['identity']['ssl']['keyfile'] %>
     SSLCACertificatePath <%= node['openstack']['identity']['ssl']['ca_certs_path'] %>
+      <% if node['openstack']['identity']['ssl']['ca_revocation_path'] %>
+    SSLCARevocationPath <%= node['openstack']['identity']['ssl']['ca_revocation_path'] %>
+    SSLCARevocationCheck chain
+      <% end -%>
       <% if node['openstack']['identity']['ssl']['chainfile'] %>
     SSLCertificateChainFile <%= node['openstack']['identity']['ssl']['chainfile'] %>
       <% end -%>