Problem

Resolution

-- The gateway accesses CRLs referenced in filters like CRL (Dynamic) during deployment and attempts to cache them.  In the case where it only fails when the CRL is large, this may be due to an OOM during deploy.

To increase the memory allocated for the deployment request, edit groups/group-X/instance-X/conf/mgmt.xml config for the management interface, e.g. <SSLInterface  ... maxRequestMemory="xxx" ...  Increase maxRequestMemory until it is big enough to accommodate your policies.

Also note that another consequence of the gateway accessing CRLs during deploy is that the CRL must always be accessible during deploy or deployment will fail.  This means that the gateway cannot serve a CRL to itself as it will not be able to serve files during deployment.  An independent gateway could still serve it a CRL, though, as it would not be affected by deployments made to another group.