docs(crl): add config docs for CRL options

etc/emqx.conf

@@ -1549,6 +1549,32 @@ listener.ssl.external.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
 ## Value: Duration
 ## listener.ssl.external.ocsp_refresh_http_timeout = 15s
 
+## Whether to enable CRL verification and caching for this listener.
+## If set to true, requires specifying the CRL server URLs.
+##
+## Value: boolean
+## Default: false
+## listener.ssl.external.enable_crl_cache = true
+
+## Comma-separated URL list for CRL servers to fetch and cache CRLs
+## from.  Must include the path to the CRL file(s).
+##
+## Value: String
+## listener.ssl.external.crl_cache_urls = http://my.crl.server/intermediate.crl.pem, http://my.other.crl.server/another.crl.pem
+
+## The timeout for the HTTP request when fetching CRLs.
+##
+## Value: Duration
+## Default: 15 s
+## listener.ssl.external.crl_cache_http_timeout = 15s
+
+## The period to refresh the CRLs from the servers.  This is global
+## for all URLs and listeners.
+##
+## Value: Duration
+## Default: 15 m
+## crl_cache.refresh_interval = 15m
+
 ## The Ephemeral Diffie-Helman key exchange is a very effective way of
 ## ensuring Forward Secrecy by exchanging a set of keys that never hit
 ## the wire. Since the DH key is effectively signed by the private key,